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Executive  Summary 


This  is  the  final  report  for  the  ARO  Presidential  Early  Career  Award  for  Scientists  and  Engineers 
(PECASE)  project  entitled  “Information  Assurance  for  Energy-Constrained  Wireless  Sensor  Net¬ 
works.”  A  summary  of  the  project  outcomes  is  as  follows.  The  following  PhD  students  were  fully 
or  partially  funded  at  the  Network  Security  Lab  (NSL),  University  of  Washington:  Mingyan  Li 
(graduated  2006,  currently  at  Boeing  Research  and  Technology),  Loukas  Lazos  (graduated  2007, 
currently  Assistant  Professor  at  University  of  Arizona,  received  NSF  CAREER  Award),  Krishna 
Sampigethaya  (graduated  2007,  currently  at  Boeing  Research  and  Technology),  Patrick  Tague 
(graduated  2009,  currently  Assistant  Professor  at  Carnegie-Mellon  University  -  Mountain  View), 
Weiyao  Lin  (graduated  2009,  currently  Assistant  Professor  at  Shanghai  Jiaotong  University),  Basel 
Alomair  (graduated  2011,  currently  Assistant  Professor  at  King  Abdulaziz  City  for  Science  and 
Technology),  and  Sidharth  Nabar  (graduated  2011,  currently  at  Microsoft).  During  this  perfor¬ 
mance  period,  graduate  students  of  NSL  received  the  following  awards:  Student  Best  Paper  Award 
at  the  IEEE  International  Symposium  on  Personal,  Indoor,  and  Mobile  Radio  Communications 
(PIMRC)  2007  (Patrick  Tague  and  Mingyan  Li);  Outstanding  Graduate  Research  Award,  Center 
for  Information  Assurance  and  Cybersecurity  CAE-R  (Patrick  Tague);  the  University  of  Wash¬ 
ington  Electrical  Engineering  Yang  Research  Award  (Patrick  Tague);  the  IEEE-IFIP  William  C. 
Carter  Award,  2010  (Basel  Alomair);  the  Pride@Boeing  Award,  2010  for  technology  transition  of 
jamming  simulation  module  to  Boeing  (Sidharth  Nabar  and  He  Wu);  and  the  Best  Paper  Award 
for  the  NextGen  Surveillance  Session  at  the  IEEE  Digital  Avionics  Systems  Conference  (DASC), 
2010  (Krishna  Sampigethaya).  This  project  also  resulted  in  two  Internet  draft  RFCs.  The  results 
of  this  ARO  PECASE  formed  the  basis  of  the  University  of  Washington’s  contribution  to  an  ARO 
MURI.  It  also  led  to  a  collaboration  with  the  Army  Research  Lab,  which  resulted  in  a  joint  patent 
filing. 

In  this  report,  the  following  topics  are  discussed: 

•  Secure  Localization  in  Wireless  Ad  Hoc  Networks  —  Many  current  and  future  appli¬ 
cations  of  mobile  ad  hoc  networks,  including  disaster  response  and  event  monitoring,  require 
nodes  to  accurately  estimate  their  positions  in  a  distributed  fashion.  In  order  to  prevent  the 
network  from  achieving  these  objectives,  an  adversary  may  attempt  to  disrupt  the  node  loca¬ 
tion  estimation.  Three  possible  attacks  identified  in  this  project  are  the  Sybil  attack,  in  which 
an  adversary  assumes  multiple  network  identities;  the  wormhole  attack,  in  which  an  adversary 
replays  location  claims  from  different  geographic  areas;  and  attacks  based  on  compromise  of 
network  entities.  We  have  developed  two  novel  secure  localization  mechanisms:  (i)  SEcure 
Range- independent  Localization  (SERLOC),  and  (ii)  High-resolution  Range-independent 
Localization  (HiRLOC).  For  each  mechanism,  we  analyzed  the  location  estimation  accuracy 
in  the  presence  of  the  attacks  described  above  using  spatial  statistics  theory,  and  proved  that 
our  schemes  afford  greater  accuracy  than  state-of-the-art  localization  mechanisms  while  also 
providing  robustness  to  attack. 

•  A  Graph  Theoretic  Framework  for  Preventing  the  Wormhole  Attack  in  Wireless 
Ad  Hoc  Networks  —  Network  functionalities  such  as  routing  are  based  on  local  broadcast, 
in  which  nodes  broadcast  messages  intended  only  for  their  immediate  one-hop  neighbors. 
These  functionalities  can  be  compromised  by  an  adversary  who  eavesdrops  on  the  medium, 
records  locally  broadcast  messages,  and  replays  them  in  a  different  region  of  the  network  (the 
wormhole  attack).  In  this  project,  we  formulated  a  graph-theoretic  framework  for  modeling 
the  wormhole  attack  and  derived  necessary  and  sufficient  conditions  for  detecting  worm- 
holes.  Moreover,  using  our  framework,  we  developed  wormhole  detection  mechanisms  based 
on  a  novel  cryptographic  mechanism,  which  we  call  local  broadcast  keys.  We  evaluate  the 
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effectiveness  of  our  proposed  method  using  the  theory  of  spatial  statistics. 

•  Resource-Efficient  Group  Key  Management  for  Secure  Multicast  in  Ad  Hoc  Net¬ 
works  —  The  traffic  for  a  multicast  session  is  typically  encrypted  with  a  single  encryption  key. 
In  order  to  ensure  forward  and  backward  secrecy,  multicast  encryption  keys  must  be  updated 
whenever  a  user  enter  or  leaves  the  session.  While  existing  approaches  to  key  distribution  and 
update  consider  key  storage  at  each  user  and  communication  overhead  at  the  group  controller 
(GC),  in  wireless  networks  there  is  an  additional  energy  cost  associated  with  forwarding  keys 
from  the  GC  to  the  wireless  users.  We  investigated  the  problem  of  energy-efficient  group 
key  management  and  developed  a  cross-layer  key  management  system,  RawKey,  that  incor¬ 
porates  the  network  topology  and  transmission  power  of  each  node  in  order  to  choose  an 
optimal  key  distribution.  We  also  introduced  a  heuristic,  VP3,  for  designing  optimal  key 
assignment  structures  for  energy  and  bandwidth  efficiency. 

•  A  Canonical  Seed  Assignment  Model  for  Key  Predistribution  in  Wireless  Sen¬ 
sor  Networks  —  Wireless  sensor  networks  rely  on  low-cost  devices  that  may  not  be  able 
to  perform  public-key  cryptographic  operations.  Instead,  symmetric  encryption  keys  are 
preloaded  onto  each  node  during  the  key  predistribution  phase  prior  to  deployment.  These 
keys  are  then  used  to  establish  secure  connectivity;  at  the  same  time,  however,  widespread 
reuse  of  keys  means  that  compromise  of  a  single  sensor  can  affect  the  confidentiality  of  traffic 
on  multiple  links.  We  analyzed  the  key  predistribution  problem  within  a  sampling-based 
canonical  framework,  in  which  the  parameter  of  interest  is  the  probability  distribution  of  the 
number  of  sensor  nodes  holding  each  key.  We  showed  how  to  classify  and  analyze  existing 
key  predistribution  schemes  within  this  framework,  and  used  our  model  to  obtain  bounds 
on  the  worst-case  performance  of  each  scheme.  In  addition,  we  generalized  the  notion  of 
fc-connectivity  to  model  a  scenario  in  which  connectivity  is  restricted  by  both  radio  range 
constraints  and  security  requirements,  and  demonstrated  how  to  apply  this  model  to  network 
design. 

•  Evaluating  the  Vulnerability  of  Network  Traffic  Using  Joint  Security  and  Rout¬ 
ing  Analysis  —  In  an  ad  hoc  network,  packets  may  traverse  multiple  intermediate  links 
before  arriving  at  the  destination.  As  a  result,  message  confidentiality  and  integrity  may 
be  violated  if  even  a  single  intermediate  link  is  compromised.  We  developed  two  Route 
Vulnerability  Metrics  for  evaluating  the  vulnerability  of  network  traffic  under  node  capture 
attacks:  (i)  the  set-theoretic  metric,  which  quantifies  the  route  vulnerability  as  a  function  of 
the  number  of  cryptographic  keys  securing  each  intermediate  link,  and  (ii)  the  circuit-theoretic 
metric,  in  which  each  link  between  source  and  destination  is  mapped  to  an  equivalent  electric 
resistance,  representing  the  vulnerability  of  that  link  to  attack.  The  overall  vulnerability  is 
then  given  as  the  effective  resistance  between  source  and  destination. 
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Chapter  1 

Secure  Localization  in  Wireless  Ad 
Hoc  Networks 


Many  of  the  applications  proposed  for  wireless  ad  hoc  and  node  networks  require  knowledge  of  the 
origin  of  the  sensed  information.  For  example,  in  a  disaster  relief  operation  using  a  node  network, 
to  locate  any  survivor  in  a  collapsed  building,  it  is  critical  that  nodes  report  monitoring  information 
along  with  their  location.  Furthermore,  location  is  assumed  to  be  known  in  many  ad  hoc  network 
operations  such  as,  routing  protocols,  or  security  protocols  where  location  information  is  used  to 
prevent  threats  against  network  services  [90,104],  In  the  previous  chapter,  we  assumed  that  the 
node  location  in  known  in  order  to  perform  energy-efficient  key  management. 

Since  ad  hoc  networks  may  be  deployed  in  hostile  environments  and  operate  unsupervised,  they 
are  vulnerable  to  conventional  and  new  attacks  [90, 94]  aimed  at  interrupting  the  functionality  of 
location-aware  applications  by  exploiting  the  vulnerabilities  of  the  localization  scheme.  Though 
many  localization  techniques  have  been  proposed  for  wireless  ad  hoc  networks  [46, 57, 86, 123, 125, 
136,146,159],  research  in  secure  location  estimation  is  in  its  infancy. 

In  this  chapter,  we  address  the  problem  of  location  estimation  in  wireless  ad  hoc  and  node 
networks  in  an  adversarial  environment.  We  propose  two  localization  algorithm  called  SeRLoc  and 
HiRLoc,  that  enable  the  network  nodes  to  estimate  their  position  robustly  even  in  the  presence 
of  security  threats.  Since  network  nodes  are  hardware  and  power  limited,  we  rely  on  a  two-tier 
network  architecture  to  limit  the  computation  at  the  node  side.  Our  network  is  comprised  of  a  small 
number  of  nodes  equipped  with  special  hardware,  we  call  locators,  and  a  large  number  of  resource 
constrained  node  devices.  However,  we  preserve  the  characteristics  of  ad  hoc  networks  by  randomly 
deploying  both  the  nodes  and  the  locators,  and  by  allowing  them  to  communicate  in  ad  hoc  mode. 
Moreover,  since  distance  measurements  are  susceptible  to  distance  enlargement /reduction,  we  do 
not  use  any  such  measurements  to  infer  the  node  location.  We  refer  to  methods  that  are  not  using 
distance  measurements  as  range- independent  localization  schemes  [57,86,123,125].  For  the  problem 
of  secure  location  estimation,  we  make  the  following  contributions. 

1.1  Our  Contributions 

We  address  the  problem  of  secure  localization  in  wireless  ad  hoc  networks,  and  propose  SeRLoc,  a 
novel  range- independent  localization  scheme  based  on  a  two-tier  network  architecture,  that  achieves 
decentralized,  resource-efficient  node  localization.  We  describe  well  known  security  threats  against 
ad  hoc  networks,  such  as  the  wormhole  attack  [90,127],  the  Sybil  attack  [74,124],  and  compromise 
of  network  entities,  and  provide  mechanisms  that  allow  each  node  to  determine  its  location  even  in 
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the  presence  of  those  threats.  Furthermore,  we  analytically  evaluate  the  probability  of  success  for 
each  type  of  attack  using  spatial  statistics  theory  [71].  Based  on  our  performance  evaluation,  we 
show  that  SeRLoc  localizes  nodes  with  higher  accuracy  than  state-of-the-art  decentralized  range- 
independent  localization  schemes  [57,86,123,125],  and  is  robust  against  varying  sources  of  error.  We 
also  present  HiRLoc,  a  high-resolution  localization  algorithm  that  provides  improved  localization 
accuracy  compared  to  SeRLoc,  while  it  preserves  the  robustness  against  attacks  and  does  not 
require  additional  hardware  resources. 

1.2  Related  Work 

1.2.1  Related  Work  on  Localization 

Localization  schemes  can  be  classified  to  range-dependent  and  range-independent  based  schemes. 
In  range-dependent  schemes,  nodes  determine  their  location  based  on  distance  or  angle  estimates  to 
some  reference  points  with  known  coordinates.  Such  estimates  may  be  acquired  through  different 
methods  such  as  time  of  arrival  (TOA)  [87,159],  time  difference  of  arrival  (TDOA)  [136,146],  angle 
of  arrival  (AOA)  [126],  or  received  signal  strength  indicator  (RSSI)  [46]. 

In  the  range-independent  localization  schemes,  nodes  determine  their  location  without  any 
time,  angle,  or  power  measurements.  In  [57],  the  authors  propose  an  outdoor  localization  scheme 
called  Centroid,  where  nodes  estimate  their  position  as  the  centroid  of  the  locations  of  all  the 
beacons  transmitted  from  reference  points.  Centroid  method  is  easy  to  implement  and  incurs  low 
communication  cost.  However,  it  results  in  a  very  crude  approximation  of  node  location. 

In  [125],  the  authors  propose  DV-hop,  where  each  node  determines  the  number  of  hops  to  nodes 
with  known  locations  called  landmarks,  using  a  distance  vector  like  method.  Once  the  number  of 
hops  to  at  least  three  landmarks  is  known,  nodes  use  an  average  hop  size  estimate  to  determine 
their  distance  to  the  landmarks,  and  apply  multilateration  to  determine  their  absolute  location. 
In  [123],  the  authors  follow  a  similar  approach  to  DV-hop,  with  the  exception  of  computing  the 
average  hop  size  offline  using  an  approximate  formula  [96]  with  the  assumption  that  every  network 
node  has  at  least  a  neighborhood  of  15  nodes. 

In  [86],  the  authors  propose  APIT,  a  range-independent  localization  scheme  that  localizes  nodes 
based  on  beacons  transmitted  from  reference  points  called  anchors,  and  neighbor  node  information. 
In  APIT,  a  node  s  performs  a  test  to  determine  whether  it  is  inside  the  triangle  defined  by  a  3-tuple 
of  anchors  heard  by  the  node.  The  test  is  repeated  for  all  3-tuples  of  anchors  heard  by  s  and  the 
location  is  computed  as  the  center  of  gravity  of  the  triangles’  overlapping  region. 

Two  methods  have  been  proposed  that  utilize  connectivity  information  to  determine  the  node 
location.  In  [73],  the  authors  formulate  a  semi-definite  program  based  on  the  connectivity-induced 
constraints,  and  obtain  the  optimal  position  estimates.  In  [148],  the  authors  use  multidimensional 
scaling  to  acquire  an  arbitrary  rotation  of  the  network  topology.  Further  more,  if  any  three  nodes 
know  their  location,  the  network  topology  can  be  mapped  to  the  absolute  node  location.  Both 
schemes  in  [73, 148]  require  centralized  computation  and  extensive  communications  and  hence,  are 
not  used  for  comparison  in  the  performance  evaluation. 

1.2.2  Related  Work  on  Secure  Localization 

While  an  extensive  literature  exists  for  location  estimation  schemes  for  WSN  in  a  benign  environ¬ 
ment  [57,73,86,87,123,125,136,146,148],  few  articles  have  appeared  addressing  the  problem  of  sensor 
location  estimation  and  verification  in  an  adversarial  setting  [55,101,105-108,113,115,145,158,160]. 


Sastry  et  al.  [145]  proposed  the  ECHO  protocol  for  verifying  the  location  claim  of  a  node,  using 
a  challenge  response  scheme  and  a  combination  of  RF  and  Ultrasound  signals.  ECHO  is  based  on 
a  distance  bounding  protocol  proposed  by  Brands  and  Chaum  [55].  Capkun  and  Hubaux  proposed 
Verifiable  Multilateration  (VM)  for  securing  range-based  localization  schemes  [160].  In  VM,  a  node 
must  verify  its  distance  to  at  least  three  reference  points  in  order  to  securely  estimate  its  position. 
Capkun  et  al.  also  proposed  a  location  verification  method  based  on  hidden  reference  points  that 
can  verify  the  validity  of  the  location  claims  of  nodes  [158]. 

Liu  et  al.  [116]  proposed  an  attack-resistant  location  estimation  technique  that  can  filter  bogus 
beacon  information  provided  that  the  majority  of  significant  majority  of  beacons  is  benign.  Li  et 
al.  [113]  discuss  a  variety  of  attacks  specific  to  the  localization  process  and  propose  robust  statistical 
methods  that  provide  attack  resistant  localization.  Finally,  Kuhn  [101]  has  proposed  an  asymmetric 
security  mechanism  for  securing  GPS-like  navigation  signals. 

1.3  Problem  Statement  &  Network  Model 

1.3.1  Problem  Statement 

We  study  the  problem  of  enabling  nodes  of  an  ad  hoc  network  to  determine  their  location  even 
in  the  presence  of  malicious  adversaries.  This  problem  will  be  referred  to  as  Secure  Localization. 
We  consider  secure  localization  in  the  context  of  the  following  design  goals:  (a)  decentralized 
implementation,  (b)  resource  efficiency,  (c)  range-independence,  and  (d)  robustness  against  security 
threats. 

1.3.2  Network  Model 
Network  deployment 

We  assume  a  two-tier  network  architecture  with  a  set  of  nodes  S  of  unknown  location  randomly 
deployed  with  a  density  ps  within  an  area  A,  and  a  set  of  specially  equipped  nodes  L  we  call  loca¬ 
tors,  with  known  location1  and  orientation,  also  randomly  deployed  with  a  density  pl  «  ps- 


Antenna  model 

We  assume  that  nodes  are  equipped  with  omnidirectional  antennas  and  transmit  with  a  power  Ps, 
while  locators  are  equipped  with  M  directional  antennas  with  a  directivity  gain  G  >  1,  and  can 
transmit  with  a  power  PjJ  >  Ps.  Let  the  signal  attenuation  over  space  be  proportional  to  some 
exponent  7  of  the  distance  d  between  two  nodes,  times  the  antenna  directivity  gain  G,  (G  =  1  for 
omnidirectional  antennas)  i.e.  jr  =  cG2d'y,  with  2  <  7  <  5,  where  c  denotes  a  proportionality 
constant  and  Pr  denotes  the  minimum  required  receive  power  for  communication.  If  rss  denotes 
the  node-to-node  communication  range  and  rsL  denotes  the  node-to-locator  communication  range 
then, 

h  =  c(r„r,  D  =  cG(  rsl)7  (1.1) 

xBy  acquiring  their  position  either  through  manual  insertion  or  through  GPS  receivers  [87].  Though  GPS  signals 
can  be  spoofed,  knowledge  of  the  coordinates  of  several  nodes  is  essential  to  achieve  any  kind  of  node  localization, 
for  any  localization  scheme. 
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From  (1.1),  it  follows  rsi  =  rssGr.  Similarly,  if  rLs  denotes  the  locator-to-node  communication 
range,  the  locator-to-locator  communication  range  tll  is  equal  to  tll  =  fLsG^ .  For  notational 
simplicity  we  will  refer  to  rss  as  r,  and  to  rLs  as  R. 

System  parameters 

Since  both  locators  and  network  nodes  are  randomly  and  independently  deployed,  it  is  essential 
to  select  the  system  parameters,  so  that  locators  can  communicate  with  the  network  nodes.  The 
random  deployment  of  the  locators  with  a  density  pL  =  (|  •  |  denotes  the  cardinality  of  a  set)  is 

equivalent  to  a  sequence  of  events  following  a  homogeneous  Poisson  point  process  of  rate  pl  [71]. 
The  random  deployment  of  the  nodes  with  a  density  ps  =  is  equivalent  to  a  random  sampling 
of  the  area  A  with  rate  ps  [71].  Making  use  of  Spatial  Statistics  theory  [71],  if  LHS  denotes  the 
set  of  locators  heard  by  a  node  s,  i.e.  being  within  range  R  from  s,  the  probability  that  s  hears 
exactly  k  locators,  given  that  the  locators  are  randomly  and  independently  deployed,  is  given  by 
the  Poisson  distribution: 

P{\LHS\  =  k )  =  (pL7r^k  e-PL*R2  _  (1.2) 

k\ 

Based  on  (1.2),  we  compute  the  probability  for  every  node  to  hear  at  least  k  locators  P(\LHS\  > 
k): 

P(\LHS\  >  k,Ms  G  S)  =  (1  -  V  {pL7T^  ^  e~pLnR2)lsl.  (1.3) 

z— '  i\ 

i= 0 

Equation  (1.3)  allows  the  choice  of  pi,  R  so  that  a  node  will  hear  at  least  k  locators  with  any 
desired  probability.  Derivations  of  (1.2),  (1.3)  are  presented  in  Appendix  1.10.1. 

1.4  SeRLoc:  Secure  Range-Independent  Localization  Scheme 

In  this  Section  we  present  the  SEcure  Range-independent  Localization  scheme  ( SeRLoc )  that 
enables  nodes  to  determine  their  location  based  on  beacon  information  transmitted  by  the  locators, 
even  in  the  presence  of  security  threats. 

1.4.1  Location  Determination 

In  SeRLoc,  nodes  determine  their  location  based  on  the  beacon  information  transmitted  by  locators. 
Figure  1.1(a)  illustrates  the  idea  behind  the  scheme.  Each  locator  transmits  different  beacons  at 
each  antenna  sector  with  each  beacon  containing,  (a)  the  locator’s  coordinates,  (b)  the  angles  of 
the  antenna  boundary  lines  with  respect  to  a  global  axis. 

If  a  node  receives  a  beacon  transmitted  at  a  specific  antenna  sector  of  a  locator  L*,  it  has  to 
be  included  within  that  sector.  Given  the  locator-to-node  communication  range  R,  the  coordinates 
of  the  transmitting  locators  and  the  sector  boundary  lines  provided  by  the  beacons,  each  node 
determines  its  location  as  the  center  of  gravity  (CoG)  of  the  overlapping  region  of  the  different 
sectors.  The  CoG  is  the  least  square  error  solution  given  that  a  node  can  lie  with  equal  probability 
at  any  point  of  the  overlapping  region.  In  figure  1.1(a),  the  node  hears  beacons  from  locators 
L\  ~  L4  and  determines  its  position  as  the  CoG  of  the  overlapping  region  between  the  four  antenna 
sectors.  We  now  present  the  algorithmic  details  of  SeRLoc. 

Step  1  -Collection  of  localization  information-In  step  1,  the  node  collects  information  from  all 
the  locators  that  it  can  hear.  A  node  s  can  hear  all  locators  Li  €  L  that  lie  within  a  circle  of 
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Figure  1.1:  (a)  The  node  hears  locators  L\  ~  L4  and  estimates  its  location  as  the  Center  of  Gravity  CoG  of  the 
overlapping  region  of  the  sectors  that  include  it.  (b)  Determination  of  the  search  area. 


radius  R,  centered  at  s. 


LHS  —  {Li  :  || s  —  Lj||  <  R,  Li  £  L}.  (1-4) 

Step  2  -Search  area-In  step  2,  the  node  computes  a  search  area  for  its  location.  Let  Xmin,  Ymin,  Xmax ,  Yrnax 
denote  the  minimum  and  the  maximum  locator  coordinates  form  the  set  LHS. 

Xyain  —  min  Xj .  Xlnox  —  max  Xj ,  Ymin  —  min  Yj ,  Ymax  —  max  Y .  (1.5) 

Li^LHs  LidLHs  LidLHs  L-i^LHs 

Since  every  locator  of  set  LHS  needs  to  be  within  a  range  R  from  node  s,  if  s  can  hear 
locator  Li  with  coordinates  (Irajn,  Yj),  it  has  to  be  located  left  from  the  vertical  boundary  of 
(Xmin  +  R)-  Similarly,  s  has  to  be  located  right  from  the  vertical  boundary  of  ( Xmax  —  R), 
below  the  horizontal  boundary  of  ( Ymin+R ),  and  above  the  horizontal  boundary  of  (Ymax  —  R). 

The  dimensions  of  the  rectangular  search  area  are  (2 R  —  dx)x(2R  —  dy )  where  dx,dy  are  the 
horizontal  distance  dx  =  Xmax—Xmin  <  2 R  and  the  vertical  distance  dy  =  Ymax  —  Ymin  <  2 R, 
respectively.  In  figure  1.1(b),  we  show  the  search  area  for  the  network  setup  in  figure  1.1(a). 

Step  3  -Overlapping  region,  Majority  vote-In  step  3,  nodes  determine  the  overlapping  region 
of  all  sectors  they  hear.  Since  it  is  computationally  expensive  for  each  node  to  analytically 
determine  the  overlapping  region  based  on  the  line  intersections,  we  employ  a  grid  scoring 
system  that  defines  the  overlapping  region  based  on  majority  vote. 

Grid  score  table:  The  node  places  a  grid  of  equally  spaced  points  within  the  rectangular 
search  area  as  shown  in  figure  1.2(a).  For  each  grid  point,  the  node  holds  a  score  in  a  grid 
score  table,  with  initial  values  equal  to  zero.  For  each  grid  point,  the  node  executes  the  grid- 
sector  test  detailed  below,  to  decide  if  the  grid  point  is  included  in  a  sector  heard  by  a  locator 
of  set  LHS.  If  the  grid  score  test  is  positive  the  node  increments  the  corresponding  grid  score 
table  value  by  one,  otherwise  the  value  remains  unchanged.  This  process  is  repeated  for  all 
locators  heard  LHS,  and  all  the  grid  points.  The  overlapping  region  is  defined  by  the  grid 
points  that  have  the  highest  score  in  the  grid  score  table.  In  figure  1.2(a),  we  show  the  grid 
score  table  and  the  corresponding  overlapping  region. 

Note  that  due  to  the  finite  grid  resolution,  the  use  of  grid  points  for  the  definition  of  the 
overlapping  region  induces  error  in  the  calculation.  The  resolution  of  the  grid  can  be  increased 
to  reduce  the  error  at  the  expense  of  energy  consumption  due  to  the  increased  processing 
time. 
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Grid  Score  Table 
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Figure  1.2:  (a)  Steps  3,4:  Placement  of  a  grid  of  equally  spaced  points  in  the  search  area,  and  the  corresponding 
grid  score  table.  The  node  estimates  its  position  as  the  centroid  of  all  grid  points  with  the  highest  score,  (b)  Step  3: 
Grid-sector  test  for  a  point  g  of  the  search  area. 


Grid-sector  test:  A  point  g  :  ( xg,yg )  is  included  in  a  sector  of  angles  [6 1,^2]  originating 
from  locator  Lj  if  it  satisfies  two  conditions: 

C\  :  \\g-Li\\  <R,  C2  :  9,  <  </>  <  02,  (1.6) 

where  4>  is  the  slope  of  the  line  connecting  g  with  L.;.  Note  that  the  node  does  not  have  to 
perform  any  angle-of- arrival  (AO A)  measurements.  Both  the  coordinates  of  the  locators  and 
the  grid  points  are  known,  and  hence  the  node  can  analytically  calculate  </>.  In  figure  1.2(b), 
we  show  the  grid-sector  test,  with  all  angles  referred  to  the  x  axis. 

Step  4  -Location  estimation-  The  node  determines  its  location  as  the  centroid  of  all  the  grid 
points  that  define  the  overlapping  region: 

y9)j  ■  (i-7) 

where  n  is  the  number  of  grid  points  of  the  overlapping  region,  and  {xgi,ygi)  are  the  coor¬ 
dinates  of  the  grid  points.  Alternatively,  the  sensor  may  define  the  Region  of  Intersection 
(ROI)  of  all  the  sectors  as  the  region  where  it  is  located,  without  computing  a  single  point 
as  its  position. 


I  n  1  n 

S  ■  ( Xest  1  Vest )  =  I  ^  '  xgi ,  —  \  ' 

\  n  '  n  ■ ' 


2—1 


2—1 
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1.4.2  Security  Mechanisms  of  SeRLoc 

We  now  describe  the  security  mechanisms  of  SeRLoc,  that  facilitate  node  localization  in  the  presence 
of  security  threats. 

Encryption 

All  beacons  transmitted  from  locators  are  encrypted  with  a  globally  shared  symmetric  key  Kq.  In 
addition,  every  node  s  shares  a  symmetric  pairwise  key  K ff1  with  every  locator  Lt,  also  pre-loaded. 
Since  the  number  of  locators  deployed  is  relatively  small,  the  storage  requirement  at  the  node  side  is 
within  the  storage  constraints  (a  total  of  \L\  keys).  For  example,  mica  motes  [118]  have  128Kbytes 
of  programmable  flash  memory.  Using  64-bit  RC5  [141]  symmetric  keys  and  for  a  network  with 
200  locators,  a  total  of  l.GKbytes  of  memory  is  required  to  store  all  the  keys  of  the  node  with 
every  locator.  In  order  to  save  storage  space  at  the  locator  (locators  would  have  to  store  |Sj  keys), 
pairwise  keys  KjJiS  are  derived  by  a  master  key  Kr,  .  using  a  pseudo-random  function  [151]  h  and 
the  unique  node  IDS :  KluS  =  h(K Lt(I D s)) . 

Locator  ID  authentication 

The  use  of  a  globally  shared  key  for  the  beacon  encryption  allows  to  a  malicious  node  to  inject 
bogus  beacons  into  the  network.  To  prevent  nodes  from  broadcasting  bogus  beacons,  we  require 
nodes  to  authenticate  the  source  of  the  beacons  using  collision-resistant  hash  functions  [151]. 

We  use  the  following  scheme  based  on  efficient  one-way  hash  chains  [103],  to  provide  locator  ID 
authentication.  Each  locator  Lt  has  a  unique  password  PWi,  blinded  with  the  use  of  a  collision- 
resistant  hash  function  such  as  SHA1  [151].  Due  to  the  collision  resistance  property,  it  is  compu¬ 
tationally  infeasible  for  an  attacker  to  find  a  PWj,  such  that  H(PWf)  =  H(PWj),  PWi  PWj. 
The  hash  sequence  is  generated  using  the  following  equation: 

H°  =  PWi,  Hi  =  H(Hi~1),  i  =  l,  •••,«,  (1.8) 

with  n  being  a  large  number  and  H°  never  revealed  to  any  node.  Each  node  is  pre-loaded  with  a 
table  containing  the  ID  of  each  locator  and  the  corresponding  hash  value  Hn  (PWt) .  For  a  network 
with  200  locators,  we  need  8  bits  to  represent  locator  IDs.  In  addition,  collision-resistant  hash 
functions  such  as  SHA1  [151]  have  a  160-bit  output.  Hence,  the  storage  requirement  of  the  hash 
table  at  any  node  is  only  4.2Kbytes.  To  reduce  the  storage  needed  at  the  locators,  we  employ  an 
efficient  storage/computation  method  for  hash  chains  of  time/storage  complexity  0(log2(n))  [69]. 

The  jth  broadcasted  beacon  from  locator  Lj  includes  the  hash  value  Hn~^  (PWf),  along  with 
the  index  j.  Every  node  that  hears  the  beacon  accepts  the  message  only  if: 

H(Hn~j+1(PWi))  =  Hn~j(PWi).  (1.9) 

After  verification,  the  node  replaces  Hn~i+1(PWi )  with  Hn~i (PWi)  in  its  memory,  and  in¬ 
creases  the  hash  counter  by  one,  so  as  to  perform  only  one  hash  operation  in  the  reception  of  the 
next  beacon  from  the  same  locator  Lj.  The  index  j  is  included  in  the  beacons,  so  that  nodes  can 
re-synchronize  with  the  current  published  hash  value,  in  case  of  loss  of  some  intermediate  hash 
values.  The  beacon  of  locator  L*  has  the  following  format: 

Li  :  {  (Xi,Yi)  ||  (0l,e2)  ||  (Hn~i(PWi))  ||  j  ||  IDL.  }x0,  (1-10) 

where  ||  denotes  the  concatenation  operation  and  {ra}#  denotes  the  encryption  of  message  m 
with  key  K.  Note  that  our  method  does  not  provide  end-to-end  locator  authentication,  but  only 
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SeRLoc:  Secure  Range-Independent  Localization  Scheme 


L  :  broadcast  U  :  {  (Xi?Yi)  ||  (0i,02)  ||  (Hn^(PWi))  ||  j  ||  IDL.  }Ko 
LHS  =  {Li  :  ||s  -  Li\\  <  R}  f|  {H(Hn-i  (PWi))  =  Hn~i+l(PWi)} 
s  .  define  As  —  \Xmax  R ,  Xmin  +  R,  Ymax  Rj  Ymin  T  R] 
for  k=l:res 
for  w=l:res 

g{k,  w)  =  (xgi,ygi)  =  (. Xmax  -R  +  ,  Tma;c  -R  +  wYma^ 

for  z  =  1  :  |  LHS  \ 

if{\\g(k,w)  -  Lz||  <  <  ^g{k,w)  <  62} 

GST(k,  w)  =  GST(k,  w)  +  1 
MGS  =  { g(k,w )  :  {&,  w}  =  arg  max  GST} 


S  •  (Xesti  Vest) 


\MGS\ 

X9 n 

2=1 


1 

|MGS 


|MGS| 

i=l 


- Figiii't1  1.3:  The  psemteFrode  of  ScRLor. - 

guarantees  authenticity  for  the  messages  received  from  locators  directly  heard  to  a  node.  This 
condition  is  sufficient  to  secure  our  localization  scheme  against  possible  attacks.  The  pseudo-code 
for  SeRLoc  is  presented  in  figure  1.3. 


1.5  Threat  Analysis 

In  this  section  we  describe  possible  security  threats  against  SeRLoc  and  show  that  SeRLoc  is 
resilient  against  those  threats.  Note  that  our  goal  is  not  to  prevent  the  attacks  that  may  be  harmful 
in  many  network  protocols,  but  to  allow  sensors  to  determine  their  location,  even  in  the  presence 
of  such  attacks. 

1.5.1  The  Wormhole  Attack 
Threat  model 

To  mount  a  wormhole  attack,  an  attacker  initially  establishes  a  direct  link  referred  as  wormhole  link 
between  two  points  in  the  network.  Once  the  wormhole  link  is  established,  the  attacker  eavesdrops 
messages  at  one  end  of  the  link,  referred  as  the  origin  point ,  tunnels  them  through  the  wormhole 
link  and  replays  them  at  the  other  end,  referred  as  the  destination  point.  The  wormhole  attack  is 
very  difficult  to  detect,  since  it  is  launched  without  compromising  any  host,  or  the  integrity  and 
authenticity  of  the  communication  [90,127]. 

In  the  case  of  SeRLoc,  an  attacker  records  the  beacons  transmitted  from  locators  at  the  origin 
point  and  replays  them  at  the  destination  point,  thus  providing  false  localization  information  to 
the  sensors  attacked.  In  figure  1.4(a),  the  attacker  records  beacons  at  region  B,  tunnels  them  via 
the  wormhole  link  in  region  A  and  replays  them,  thus  leading  sensor  s  to  believe  that  it  can  hear 
locators  {L\  r L&}- 
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Figure  1.4:  (a)  Wormhole  attack:  An  attacker  records  beacons  in  area  B,  tunnels  them  via  the  wormhole  link  in 
area  A  and  re-broadcasts  them,  (b)  Computation  of  the  common  area  Ac,  where  locators  are  heard  to  both  s,  O. 

Detecting  wormholes  in  SeRLoc 

We  now  show  how  a  node  can  detect  a  wormhole  attack  using  two  properties:  The  single  mes¬ 
sage/sector  per  locator  property  and  the  communication  range  constraint  property. 

Single  message/sector  per  locator  property:  The  origin  point  O  of  the  wormhole  attack 
defines  the  set  of  locators  LH J  replayed  to  the  sensor  s  under  attack.  The  location  of  the  sensor 
defines  the  set  of  locators  LH d  directly  heard  to  the  sensor  s,  with  LHS  =  LHrs  U  LH d.  Based  on 
the  single  message/sector  per  locator  property  we  show  that  the  wormhole  attack  is  detected  when 
LHrs  n  LHds  /  0. 

Lemma  1  Single  message  per  locator/sector  property:  Reception  of  multiple  messages  authenti¬ 
cated  with  the  same  hash  value  is  due  to  replay,  multipath  effects,  or  imperfect  sectorization. 

Proof  1  In  the  absence  of  any  attack,  it  is  feasible  for  a  sensor  to  hear  multiple  sectors  due  to 
multipath  effects.  In  addition,  a  sensor  located  at  the  boundary  of  two  sectors  can  also  hear  multiple 
sectors  even  if  there  is  no  multipath  or  attack,  due  to  imperfect  sectorization.  We  assume  that  the 
locator  transmits  simultaneously  the  same  but  fresh  hash  value  is  used  to  authenticate  them  per 
beacon  transmission.  Due  to  the  use  of  an  identical  but  fresh  hash  in  all  sectors  per  transmission, 
if  an  adversary  replays  a  message  from  any  sector  of  a  locator  directly  heard  to  the  sensor  under 
attack,  the  sensor  will  have  already  received  the  hash  via  the  direct  path  and  hence,  detect  the  attack. 

If  we  consider  reception  of  multiple  messages  containing  the  same  hash  value  due  to  multipath 
effects  or  imperfect  sectorization  to  be  a  replay  attack,  a  sensor  will  always  assume  it  is  under  attack 
when  it  receives  messages  with  the  same  hash  value.  Hence,  an  adversary  launching  a  wormhole 
attack  will  always  be  detected  if  it  replays  a  message  from  locator  L*  €  LHd,  i.e.  if  LHrsC\LHd  /  0. 
In  figure  1.5(a),  As  denotes  the  area  where,  Li  €  LHd  (circle  of  radius  R  centered  at  s),  A0  denotes 
the  area  where  Li  €  LHf  (circle  of  radius  R  centered  at  O ),  and  the  shaded  area  Ac  denotes  the 
common  area  Ac  =  As  n  A0. 
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♦  Attacker  O  Locator 


<>  Attacker  O  Locator 


(a)  (b) 

O  Attacker  O  Locator 


(c) 

Figure  1.5:  (a)  Single  message/sector  per  locator  property:  a  node  s  cannot  hear  two  messages  authenticated  with 
the  same  hash  value,  (b)  Communication  range  violation  property:  a  node  s  cannot  hear  two  locators  more  than  2 R 
apart,  (c)  Combination  of  the  two  properties  for  wormhole  detection. 

Proposition  1  The  detection  probability  P(SG)  due  to  the  single  message/sector  per  locator  prop¬ 
erty  is  equal  to  the  probability  that  at  least  one  locator  lies  within  an  area  of  size  Ac,  and  is  given 
by: 

P(SG)  =  1  —  e~pLAc,  with  Ac  =  2R2<f>  —  Rl  sin  f>,  f>  =  cos-1——.  (1.11) 

2K 

with  l  being  the  distance  between  the  origin  point  and  the  sensor  under  attack. 


Proof  2  If  a  locator  Li  lies  inside  Ac,  it  is  less  than  R  units  away  from  a  sensor  s  and  therefore 
Li  €  LHg.  Locator  Li  is  also  less  than  R  units  away  from  the  origin  point  of  the  attack  O,  and 
therefore,  Li  €  LHf.  Hence,  if  a  locator  lies  inside  Ac,  LHf  Cl  LHf  /  0,  and  the  attack  is  detected 
due  to  the  single  message/sector  per  locator  property.  The  detection  probability  P(SG)  is  equal  to 
the  probability  that  at  least  one  locator  lies  within  Ac.  If  LHac  denotes  the  set  of  locators  located 
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within  area  Ac  then: 


P(SG)  =  P(\LHAc\  >  1)  =  1  —  P(\LHAc\  =  0)  =  1  —  e~phAc, 


where  Ac  can  be  computed  from  figure  1.4(b)  to  be: 


Ac  =  2  R2<f  —  Rl  sin  <f>, 


(j)  =  cos 


2R1 


(1.12) 


(1.13) 


with  l  =  || s  —  0\\. 

Figure  1.6(a)  presents  the  detection  probability  P(SG)  vs.  the  locator  density  pl  and  the 
distance  ||s  —  0||  between  the  origin  point  and  the  sensor  under  attack,  normalized  over  R.  We 
observe  that  if  ||s  —  0||  >  2 R,  then  Ac  =  0  and  the  use  of  the  single  message/sector  per  locator 
property  is  not  sufficient  to  detect  a  wormhole  attack.  For  distances  ||s  —  0||  >  2 R,  a  wormhole 
attack  can  be  detected  using  the  communication  range  constraint  property  presented  below. 
Communication  range  violation  property:  Given  the  coordinates  of  node  s,  all  locators  LHS 
heard  by  s  should  lie  within  a  circle  of  radius  R,  centered  at  s.  Since  node  s  is  not  aware  of  its 
location  it  relies  on  its  knowledge  of  the  locator-to-sensor  communication  range  R  to  verify  that 
the  set  LHS  satisfies  lemma  2. 

Lemma  2  Communication  range  constraint  property :  A  sensor  s  cannot  hear  two  locators  Li,Lj  G 
LHS,  more  than  2 R  apart,  i.e.  ||Lj  —  Lj\\  <  2 R,  MLi,Lj  G  LHS. 


Proof  3  Any  locator  L,  G  LHS  has  to  lie  within  a  circle  of  radius  R,  centered  at  the  sensor  s  (area 
As  in  figure  1.5(b)),  || L*  —  s||  <  R,  VLj  G  LHS.  Hence, 

|| Li  —  Lj ||  =  ||Lj  —  s  +  s  —  Lj\\  <  || Li  —  s ||  +  || s  —  Lj\\  <  R  +  R  =  2 R.  (1.14) 

Using  the  coordinates  of  LHS,  a  sensor  can  detect  a  wormhole  attack  if  the  communication 
range  constraint  property  is  violated.  We  now  compute  the  detection  probability  P(CR)  due  to 
the  communication  range  constraint  property. 

Proposition  2  A  wormhole  attack  is  detected  due  to  the  communication  range  constraint  property, 
with  a  probability: 

P{CR)  >  (l-e-pLA*y  ,  A*  =  xVR2  -  x2  -  R2  tan"1  ,  (1.15) 

where  x  =  . 

Proof  4  Consider  figure  1.5(b),  where  ||s  —  0||  =  2 R.  If  any  two  locators  within  As,Aa  have  a 
distance  larger  that  2 R,  a  wormhole  attack  is  detected.  Though  P(CR)  is  not  easily  computed 

analytically,  we  can  obtain  a  lower  bound  on  P(CR )  by  considering  the  following  event.  In  figure 
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Probability  of  detection:  P(SG)  A  lower  bound  on  P(CR) 


(a)  (b) 

A  lower  bound  on  Pdet 


(c) 


Figure  1.6:  Wormhole  detection  probability  based  on,  (a)  the  single  message/sector  per  locator  property:  P(SG). 
(b)  A  lower  bound  on  the  wormhole  detection  based  on  the  communication  range  violation  property:  P(CR).  (c)  A 
lower  bound  on  the  wormhole  detection  probability  for  SeRLoc. 

1.5(b),  the  vertical  lines  defining  shaded  areas  Ai,Aj,  are  perpendicular  to  the  line  connecting  s,0, 
and  have  a  separation  of  2 R.  If  there  is  at  least  one  locator  Li  in  the  shaded  area  A4  and  at  least 
one  locator  Lj  in  the  shaded  area  Aj,  then  || Li  —  Lj\\  >  2 R  and  the  attack  is  detected.  Note  that 
this  event  does  not  include  all  possible  locations  of  locators  for  which  || L*  —  Lj  ||  >  2 R,  and  hence  it 
yields  a  lower  bound.  If  CHAi_Aj  denotes  the  event  ( |  L  Ha,  |  >  On  \LHAj  \  >  0)  then, 

P{CR)  =  P(\\Li-Lj\\  >  2R,  Li,  Lj  €  LH„) 


>  P(CRf)jCUAi,Aj)  (1.16) 

=  P(CR\CHAiA])P{CUAiA])  (1-17) 

=  P{CUAi,Aj)  (1.18) 

=  {l-e-pLAi){l-e~pLAi),  (1.19) 


where  (1.16)  follows  from  the  fact  that  the  probability  of  the  intersection  of  two  events  is  always  less 


18 


or  equal  to  the  probability  of  one  of  the  events,  (1.17)  follows  from  the  definition  of  the  conditional 
probability,  (1.18)  follows  from  the  fact  that  when  £Ha,,a:i  is  true,  we  always  have  a  communication 
range  constraint  violation  (P(CR  \  jCHa,.a:i)  =  1),  and  (1.19)  follows  from  the  fact  that  Ai,Aj  are 
disjoint  areas  and  that  locators  are  randomly  deployed. 

We  can  maximize  the  lower  bound  of  P(CR),  by  finding  the  optimal  values  A*t,A*.  In  Appendix 
1.10.2  we  prove  that  the  lower  bound  in  (1.19)  attains  its  maximum  value  when  A*  =  max,; {A,} 
subject  to  the  constraint  Ai  =  Aj  (Ai,Aj  are  symmetric).  We  also  prove  that  A*,  A*,  are  expressed 

by-' 

A*  =  A*  =  xVR2  ~  x 2  -  R2  tan"1  ,  and  x  =  (1.20) 

Substituting  (1.20)  into  (1.19)  yields  the  required  result:  P(CR)  >  (l  —  e~PIjAiY  ■ 

In  figure  1.6(b),  we  show  the  maximum  lower  bound  on  P(CR )  vs.  the  locator  density  pl,  and 
the  distance  ||s  —  O ||  normalized  over  R.  The  lower  bound  on  P(CR )  increases  with  the  increase 
of  || s  —  O ||  and  attains  its  maximum  value  for  ||s  —  0||  =  4 R  when  A*  =  A*  =  ttR2.  For  distances 
|| s  —  O ||  >  4 R  a  wormhole  attack  is  always  detected  based  on  the  communication  range  constraint 
property,  since  any  locator  within  A0  will  be  more  than  2 R  apart  from  any  locator  within  As. 
Detection  probability  Pdet  of  the  wormhole  attack  against  SeRLoc:  We  now  combine 
the  two  detection  mechanisms,  namely  the  single  message/sector  per  locator  property  and  the 
communication  range  constraint  property  for  computing  the  detection  probability  of  a  wormhole 
attack  against  SeRLoc. 

Proposition  3  The  detection  probability  of  a  wormhole  attack  against  SeRLoc  is  lower  bounded 
by  Pdet  >  (1  -  e~pLAc)  +  (1  -  e-^A*)2e-^Ac. 

Proof  5  In  the  computation  of  the  communication  range  constraint  property,  by  setting  Ai  =  Aj 
and  maximizing  Ai  regardless  of  the  distance  ||s  —  0||,  the  areas  Ai,Aj ,  and  Ac  do  not  overlap  as 
shown  in  figure  1.5(c).  Hence,  the  corresponding  events  of  finding  a  locator  at  any  of  these  areas 
are  independent  and  we  can  derive  a  lower  bound  on  the  detection  probability  Pdet  by  combining  the 
two  properties. 


pdet  =  p(SG  U  CR)  =  P(SG)  +  P(CR)  -  P(SG)P(CR) 


=  P(SG)  +  P[CR)  (1  —  P(SG)) 

>  (1  -  e~pLAc )  +  (1  -  e~PLAi)2e~PLAc. 


(1.21) 


The  left  side  of  (1.21)  is  a  lower  bound  on  Pdet  since  P(CR)  was  also  lower  bounded. 

In  figure  1.6(c),  we  show  the  lower  bound  on  Pdet  vs.  the  locator  density  pl  and  the  distance 
|| s  —  O ||  normalized  over  R.  For  values  of  ||s  —  0||  >  4 R,  Pcr  =  1,  since  any  L,  €E  LH[ (  will  be 
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Attach  to  Closer  Locator  Algorithm  (ACLA) 


s  :  broadcast  {  r]s  ||  IDS  } 
if  Li  hears  {  r/s  ||  IDS  }  reply 

Lt  :  {  Vs  II  ||  (01,d2)  ||  (. HEn-i{PWi ))  ||  j  ||  IDLi  }^iiS 

L[  :  first  authentic  reply  from  a  locator. 

LHg  =  {Li  G  LHS  :  sector{Li }  intersects  secfor{L'}} 
s  :  execute  SeRLoc  with  LHS  =  LHg 

Figure  1.7:  The  pseudo-code  of  ACLA. 

more  than  2 R  away  from  any  Lj  G  LHf  and  hence,  the  wormhole  attack  is  always  detected.  From 
figure  1.6(c),  we  observe  that  a  wormhole  attack  is  detected  with  a  probability  very  close  to  unity, 
independent  of  the  origin  and  destination  point  of  the  attack.  The  intuition  behind  (1.21)  is  that 
there  is  at  most  (1  —  Pdet)  probability  for  a  specific  realization  of  the  network,  to  have  an  origin  and 
destination  point  where  a  wormhole  attack  would  be  successful.  Even  if  such  realization  occurs,  the 
attacker  has  to  acquire  full  knowledge  of  the  network  topology  and  based  on  the  geometry,  locate 
the  origin  and  destination  point  where  the  wormhole  link  can  be  established. 

Location  resolution  algorithm:  Although  a  wormhole  can  be  detected  using  one  of  the  two 
detection  mechanisms,  a  sensor  s  under  attack  cannot  distinguish  the  set  of  locators  directly  heard 
LHg  from  the  set  of  locators  replayed  LHf  and  hence,  estimate  its  location.  To  resolve  the  location 
ambiguity  sensor  s  executes  the  Attach  to  Closer  Locator  Algorithm  (ACLA).  Assume  that  a  sensor 
authenticates  a  set  of  locators  LHS  =  LHf:  U  LHf,  but  detects  that  it  is  under  attack. 

Step  1:  Sensor  s  broadcasts  a  randomly  generated  nonce  ps  and  its  IDS. 

Step  2:  Every  locator  hearing  the  broadcast  of  node  s  replies  with  a  beacon  that  includes  local¬ 
ization  information  and  the  nonce  r}s,  encrypted  with  the  pairwise  key  KjJj  S  instead  of  the 
broadcast  key  Kq.  The  sensor  identifies  the  locator  L't  that  replies  first  with  an  authentic 
message  that  includes  r/s . 

Step  3  :  Sensor  s  identifies  the  set  LH '£  as  all  the  locators  whose  sectors  overlap  with  the  sector 
of  Lf  and  executes  SeRLoc  with  LHS  =  LHf:. 

The  pseudo-code  of  ACLA  is  presented  in  figure  1.7.  Note  that  the  closest  locator  to  sensor  s 
will  always  reply  first  if  it  directly  hears  the  broadcast  from  s,  and  not  through  a  replay  from  an 
adversary.  In  order  for  an  adversary  to  force  sensor  s  to  accept  set  LHf  as  the  valid  locator  set, 
it  can  only  replay  the  nonce  i]s  to  a  locator  L,  G  LHf ,  record  the  reply,  tunnel  via  the  wormhole 
and  replay  it  in  the  vicinity  of  s.  However,  a  reply  from  a  locator  in  LHf  will  arrive  later  than  any 
reply  from  a  locator  in  LH since  locators  in  LHf  are  further  away  from  s  than  locators  in  LHCS 1 . 

To  execute  ACLA,  a  sensor  must  be  able  to  communicate  bi-directionally  with  at  least  one 
locator.  The  probability  Ps^l  of  a  sensor  having  a  bi-directional  link  with  at  least  one  locator  and 
the  probability  P, m  that  all  sensors  can  bi-directionally  communicate  with  at  least  one  locator  can 
be  computed  as: 

PS^L  =  l  ~  e-p^r2G\  Pbd  =  {  i-e-PL^f\.  (1.22) 

Hence,  we  can  select  the  system  parameters  pl ,  G  so  every  sensor  has  a  bi-directional  link  with  at 
least  one  locator  with  any  desired  probability. 
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1.5.2  Sybil  Attack 


Threat  model 

In  the  Sybil  attack  [74,124],  an  adversary  is  able  to  fabricate  legitimate  node  IDs  or  assume  the  IDs 
of  existing  nodes,  in  order  to  impersonate  multiple  network  entities.  Unlike  the  wormhole  attack, 
in  the  Sybil  attack  model,  the  adversary  may  have  access  to  cryptographic  quantities  necessary  to 
assume  node  IDs.  Hence,  the  adversary  can  insert  bogus  information  into  the  network.  A  solution 
for  the  Sybil  attack  was  recently  proposed  in  [124], 


Sybil  attack  against  SeRLoc 

In  SeRLoc,  nodes  do  not  rely  on  other  nodes  to  compute  their  location.  Hence,  an  attacker  has 
no  incentive  to  assume  node  IDs.  An  adversary  can  impact  SeRLoc  if  it  successfully  impersonates 
locators.  Since  nodes  are  pre-loaded  with  valid  locator  IDs  along  with  the  hash  values  corresponding 
to  the  head  of  the  reversed  hash  chain,  an  adversary  can  only  duplicate  existing  locator  IDs  by 
compromising  the  globally  shared  key  Kq. 

Once  I\q  has  been  compromised,  the  adversary  has  access  to  both  locators  IDs,  the  hash  chain 
values  published  by  the  locators,  as  well  as  the  coordinates  of  the  locators.  Since  nodes  always 
have  the  latest  published  hash  values  from  the  locators  that  they  directly  hear,  an  adversary  can 
only  impersonate  locators  that  are  not  directly  heard  to  the  nodes  under  attack.  The  adversary 
can  generate  bogus  beacons,  attach  a  published  hash  value  from  a  locator  not  heard  to  the  node 
under  attack,  and  encrypt  it  with  the  Kq. 


Defense  against  the  Sybil  attack 

Though  we  do  not  provide  a  mechanism  to  prevent  an  adversary  from  impersonating  locators  except 
for  the  ones  directly  heard  to  a  node,  we  can  still  determine  the  position  of  nodes  in  the  presence 
of  Sybil  attack.  In  order  to  compromise  the  location  estimation  process  of  SeRLoc,  the  adversary 
needs  to  impersonate  more  than  LHg  locators  in  order  to  displace  the  node  s.  To  avoid  node 
displacement  we  propose  the  following  enhancement. 

Since  the  locator  density  pl  is  known  before  deployment,  we  can  select  a  threshold  value  Lmax 
as  the  maximum  allowable  number  of  locators  heard  by  each  node.  If  a  node  hears  more  than 
Lmax  locators,  it  assumes  that  is  under  attack  and  executes  ALCA  to  determine  its  position.  The 
probability  that  a  node  s  hears  more  than  Lmax  locators  is  given  by: 

Lmax  1  /  77>2\i 

P(\LHS\  >  Lmax)  =  1  —  P(\LHS\  <  Lmax))  =  1  —  Y,  PL7F,  e~pL7rR2 .  (1.23) 

i= o  l- 

Using  (1.23),  we  can  select  the  value  of  Lmax  so  that  there  is  a  very  small  probability  for  a 
node  to  hear  more  than  Lmax  locators,  while  there  is  a  very  high  probability  for  a  node  to  hear 
more  than  L™ax  locators.  If  a  node  hears  more  than  Lmax  locators  without  being  under  attack,  the 
detection  mechanism  will  result  in  a  false  positive  alarm  and  force  the  node  to  execute  ACLA  to 
successfully  locate  itself.  However,  if  a  node  hears  less  than  L™ax ,  the  node  is  vulnerable  to  a  Sybil 
attack.  Hence,  we  must  select  a  threshold  Lmax  so  that  any  node  hears  less  than  L™ax  locators 
with  a  probability  very  close  to  zero. 

In  figure  1.8,  we  show  P(\LHS\  >  Lmax )  vs.  Lmax,  for  varying  locator  densities  pl ■  Based  on 
figure  1.8,  we  can  select  the  appropriate  Lmax  for  each  value  of  pl ■  For  example,  when  pl  =  0.03, 
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Figure  1.8:  P(\LHS\  >  Lmax),  vs.  Lmax  for  varying  locator  densities  pL- 

a  choice  of  Lmax  =  46  allows  a  node  to  localize  itself  when  under  Sybil  attack  with  a  probability 
P(\LHS\  >  23)  =  0.995,  while  the  false  positive  alarm  probability  is  P(\LHS\  >  46)  =  0.1045. 


1.5.3  Compromised  network  entities 

In  this  section  we  examine  the  robustness  of  SeRLoc  against  compromised  network  entities.  We 
consider  a  node  or  a  locator  node  to  be  compromised  if  an  attacker  assumes  full  control  over  the 
behavior  of  the  node  and  knows  all  the  keys  stored  at  the  compromised  node. 


Compromised  nodes 

Though  nodes  are  assumed  to  be  easier  to  compromise,  an  attacker  has  no  incentive  in  compromising 
nodes,  since  they  do  not  actively  participate  in  the  localization  procedure.  The  only  benefit  from 
compromising  a  node  is  gain  access  to  the  globally  shared  key  Kq. 


Compromised  locators 

An  adversary  that  compromises  a  locator  Lj  gains  access  to  the  globally  shared  key  I\q ,  the  pairwise 
keys  KluS  that  the  compromised  locator  shares  with  every  node,  as  well  as  all  the  hash  values  of 
the  locator’s  hash  chain.  By  compromising  a  single  locator,  the  adversary  can  displace  any  node,  by 
impersonating  the  compromised  locator  from  a  position  closer  to  the  node  under  attack  compared 
to  the  closest  legitimate  locator.  The  adversary  impersonates  multiple  locators  in  order  to  force 
location  ambiguity  to  the  node  under  attack.  Once  the  attack  is  being  detected,  node  s  executes 
ACLA  to  resolve  its  location  ambiguity.  Since  the  adversary  is  closer  to  the  node  s  than  the  closest 
legitimate  locator,  its  reply  will  arrive  to  s  the  earliest.  Hence,  s  will  assume  that  the  impersonated 
set  of  locators  is  the  valid  one  and  will  be  displaced. 

To  avoid  node  displacement  by  a  single  locator  compromise  we  can  intensify  the  resilience 
of  SeRLoc  to  locator  compromise  by  involving  more  than  one  locators  in  the  location  resolution 
algorithm  at  the  expense  of  higher  communication  overhead.  A  node  s  under  attack,  can  execute 
the  enhanced  location  resolution  algorithm  detailed  below. 

Step  1  :  Node  s  broadcasts  a  randomly  generated  nonce  r/s,  the  set  of  locators  heard  LHS  and  its 
IDS. 

s  :  {  ?7s  ||  LHS  ||  IDS  }•  (1-24) 
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Enhanced  Location  Resolution  Algorithm 


s  :  broadcast  {  r]s  ||  LHS  ||  IDS  } 

RL  s  —  {Li  .  ||5  Li ||  '  r  sl\ 

RLS  :  broadcast  {  rls  ||  LHS  ||  IDS  ||  (Xt,Yt)  ||  Hn~k(PWi )  ||  j  ||  IDU  }Ko  BLS  =  {Li  : 
|| RLS  -  Li\\  <  rLL}  f|  LHS 

BLS  :  broadcast  {  Vs  ||  {X^Yfi)  ||  (0U92)  ||  Hn~k{PWi)  ||  j  ||  IDU 
s  :  collect  first  Lmax  authentic  beacons  from  BLS 
s  :  execute  SeRLoc  with  collected  beacons 

Figure  l.y:  The  pseudo-code  tor  the  enhanced  location  resolution  algorithm. 

Step  2:  Every  locator  Li  receiving  the  broadcast  from  s  appends  its  coordinates,  the  next  hash 
value  of  its  hash  chain  and  its  ID^,  encrypts  the  message  with  Kq  and  re-broadcasts  the 
message  to  all  sectors. 

Li  :  {rjs ||  LHS  ||  IDS  II  (Xi,Yi)  ||  Hn~k(PWi)  ||  ||  j  \\IDL.  }Ko •  (1-25) 

Step  3:  Every  locator  receiving  the  re-broadcast,  verihes  the  authenticity  of  the  message,  and 
that  the  transmitting  locator  is  within  its  range.  If  the  verification  is  correct  and  the  receiving 
locator  belongs  to  LHS,  the  locator  broadcasts  a  new  beacon  with  location  information  and 
the  nonce  r/s  encrypted  with  the  pairwise  key  with  node  s. 

Li  :  {  Vs  ||  (XuYfi  ||  (0!,02)  II  Hn~k(PWi)  ||  j  ||  IDLi  (1.26) 

Step  4:  The  node  collects  the  first  Lmax  authentic  replies  from  locators,  and  executes  SeRLoc 
with  LHS  =  Lmax. 

The  pseudo-code  for  the  enhanced  location  resolution  algorithm  is  presented  in  figure  1.9.  Note 
that  for  a  locator  to  hear  the  node’s  broadcast  it  has  to  be  within  a  range  rsL  =  rG7  from  the  node. 
Furthermore,  in  order  for  a  the  node  to  make  the  correct  location  estimate,  all  locators  within  a 
range  R  from  s  need  to  provide  new  beacon  information.  Every  locator  positioned  within  R  from 
a  node  s  is  within  the  range  of  any  locator  positioned  at  a  distance  rSL  from  the  node  s. 

Each  beacon  broadcast  from  a  locator  has  to  include  the  nonce  rjs  initially  broadcasted  by  the 
node  and  be  encrypted  with  the  pairwise  key  between  the  node  and  the  locator.  Hence,  given 
that  the  node  has  at  least  L™ax  locators  within  range  R  with  very  high  probability  (see  figure 
1.8),  the  adversary  has  to  compromise  at  least  {Lrr^x  +  l)  locators,  in  order  to  compromise  the 
majority  vote  scheme  of  SeRLoc.  In  addition,  the  attacker  has  to  possess  the  hardware  capabilities 
to  process  and  transmit  ( L™ax  +  l)  replies  before  Lumml  rephes  from  valid  locators  reach  the  node 
under  attack.  Our  enhanced  location  resolution  algorithm  significantly  increases  the  resilience  of 
SeRLoc  to  locator  compromise,  at  the  expense  of  higher  communication  overhead  at  the  locators. 


1.6  HiRLoc:  A  High-resolution  Range-Independent  Localization 
Scheme 

Though  SeRLoc,  localizes  nodes  with  sufficient  accuracy  for  most  applications,  there  might  be 
requirements  for  high-resolution  localization  with  no  degradation  on  the  security  level  or  significant 
increase  of  the  hardware  requirements.  In  this  section  we  examine  whether  such  requirements  of 
high  accuracy  localization  can  be  satisfied. 
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In  SeRLoc,  nodes  compute  their  location  by  collecting  only  one  beacon  transmission  from  each 
locator.  Since  subsequent  rounds  of  transmissions  contain  identical  sector  information  as  the  first 
round  of  transmissions,  the  reduction  of  the  ROI  in  SeRLoc  can  only  be  achieved  by,  (a)  increasing 
the  locator  density  pl  so  that  more  locators  are  heard  at  each  node,  and  higher  number  of  sectors 
intersect  or,  (b)  by  using  narrower  antenna  sectors  to  reduce  the  size  of  the  sectors  Si(j).  Both 
these  methods  reduce  the  localization  error  at  the  expense  of  higher  number  of  devices  with  special 
capabilities  (more  locators),  and  more  complex  hardware  at  each  locator  (more  antenna  sectors). 

In  this  section  we  present  the  High-resolution  Range- independent  Localization  scheme  ( HiRLoc ) 
that  allows  nodes  to  determine  their  location  with  high  accuracy  even  in  the  presence  of  security 
threats.  In  HiRLoc,  the  location  estimation  accuracy  is  increased  by  exploiting  the  temporal  dimen¬ 
sion,  and  without  incurring  the  costs  of  deploying  more  locators,  or  equipping  them  with  expensive 
antenna  systems.  The  locators  provide  different  localization  information  at  consecutive  beacon 
transmissions  by,  (a)  varying  the  direction  of  their  antennas  and,  (b)  varying  the  communication 
range  of  the  transmission  via  power  control.  We  now  explore  how  both  these  methods  lead  to  the 
reduction  of  the  ROI. 


1.6.1  Location  Determination 

As  in  SeRLoc,  in  order  to  determine  their  location,  nodes  rely  on  beacon  information  transmitted 
from  the  locators.  Locators  change  their  orientation  over  time  and  retransmit  beacons  in  order  to 
improve  the  accuracy  of  the  location  estimate.  Based  on  the  beacon  information,  nodes  define  the 
sector  area  S)  (j )  as  the  confined  area  covered  by  the  jth  transmission  of  a  locator  L*. 

A  node  s  receiving  the  jth  beacon  transmission  from  locator  L*,  is  included  within  the  sector 
area  S)(j).  Let  LHs(j)  denote  the  set  of  locators  heard  by  a  node  s,  during  the  jth  transmission 
round.  By  collecting  beacons  from  the  locators  L*  €  LHs(j),  the  node  can  compute  its  location 
as  the  CoG  of  the  Region  of  Intersection  (ROI)  of  all  the  sectors  S)(j).  Note  that  a  node  can  hear 
beacons  from  multiple  locators,  or  multiple  beacons  generated  by  the  same  locator.  Hence,  the 
ROI  after  the  mth  round  of  beacon  transmissions  can  be  expressed  as  the  intersection  of  all  the 
sectors  corresponding  to  the  beacons  available  at  each  node: 

m  /|  LHs(j)\  \ 

ROI(m)  =  pl  H  S *0)  ■  (1-27) 

3=0  \  i= 1  / 

Since  the  ROI  indicates  the  confined  region  where  the  node  is  located,  reducing  the  size  of  the 
ROI  leads  to  an  increase  in  the  localization  accuracy.  Based  on  equation  (1.27),  we  can  reduce  the 
size  of  the  ROI  by,  (a)  reducing  the  size  of  the  sector  areas  St (j )  and,  (b)  increase  the  number  of 
intersecting  sectors  Si(j). 


Varying  the  antenna  orientation 

The  locators  are  capable  of  transmitting  at  all  directions  (omnidirectional  coverage)  using  multiple 
directional  antennas.  Every  antenna  has  a  specific  orientation  and  hence  corresponds  to  a  fixed 
sector  area  Si(j).  The  antenna  orientation  is  expressed  by  the  angle  information  contained  in  the 
beacon  Oi(j)  =  {0ip(j),9ip(j)},  where  #i,i(j), 9ip(j)  denote  the  lower  and  upper  bounds  of  the 
sector  Si(j). 

Instead  of  reducing  the  size  of  the  intersecting  sectors  by  narrowing  the  antenna  beamwidth, 
locators  can  change  the  orientation  of  their  antennas  and  re-transmit  beacons  with  the  new  sector 
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Figure  1.10:  (a)  The  node  is  located  within  the  intersection  of  the  sectors  Si  (j).  >S'2(j),  which  defines  the  region 
of  intersection  ROI.  (b)  The  ROI  is  reduced  by  the  rotation  of  the  antenna  sectors  by  some  angle  a.  (c)  Locator 
L\  is  equipped  with  three  directional  antennas  of  beamwidth  ^  each.  The  transmission  of  beacons  at  each  sector, 
followed  by  antenna  rotation  by  ^ ,  followed  by  a  transmission  of  update  beacons,  is  equivalent  to  equipping  L\  with 
six  directional  antennas  of  beamwidth  . 

boundaries.  A  change  in  the  antenna  orientation  can  occur  either  by  changing  the  orientation  of 
the  locators,  or  by  rotation  of  their  antenna  system.  A  node  collects  multiple  sector  information 
from  each  locator  over  a  sequence  of  transmissions:  Si(j)  =  Si(6i(j),  j),  j  =  1 . . .  Q.  As  expressed 
by  equation  (1.27),  the  intersection  of  a  larger  number  of  sectors  can  lead  to  a  reduction  in  the 
size  of  the  ROI.  As  an  example,  consider  figure  1.10  where  a  node  s  hears  locators  L\,L2-  In 
figure  1.10(a),  we  show  the  first  round  of  beacon  transmissions  by  the  locators  L\,L2,  and  the 
corresponding  ROI(  1).  In  figure  1.10(b),  the  locators  L\,L2  rotate  their  antennas  by  an  angle  a 
and  transmit  the  second  round  of  beacons  with  the  new  sector  boundaries. The  ROI  in  the  two 
rounds  of  beacon  transmissions,  can  be  expressed  as: 

i20/(i)  =  Si(i)ns2(i),  i*o/(2)  =  Si(i)nSi(2)ns2(i)ns2(2).  (1.28) 

The  antenna  rotation  can  be  interpreted  as  an  increase  on  the  number  of  antenna  sectors  of  each 
locator  via  superposition  over  time.  For  example,  consider  figure  1.10(c),  where  a  locator  is  equipped 
with  three  directional  antennas  of  beamwidth  Transmission  of  one  round  of  beacons,  followed 
by  antenna  rotation  by  ^  and  re-transmission  of  the  updated  beacons  is  equivalent  to  transmitting 
one  round  of  beacons  when  locators  are  equipped  with  six  directional  antennas  of  beamwidth  ^ . 


Varying  the  Communication  range 

A  second  approach  to  reduce  the  area  of  the  ROI ,  is  to  reduce  the  size  of  the  intersecting  sectors. 
This  can  be  achieved  by  allowing  locators  to  decrease  their  transmission  power  and  re-broadcast 
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Figure  1.11:  (a)  The  node  is  located  within  the  intersection  of  the  sectors  Si(j),  S^O),  which  defines  the  ROI,  (b) 
the  locators  reduce  their  communication  range  and  transmit  updated  beacons.  While  s  is  outside  the  communication 
range  of  L\,  it  can  still  hear  the  transmission  of  1/2-  The  new  beacon  information  leads  to  the  reduction  of  the  ROI. 
(c)  The  intersection  of  multiple  sectors  originating  from  the  same  locator  with  the  same  angle  boundaries  but  different 
transmission  range  Ri(j)  is  equal  to  the  sector  with  the  smallest  communication  range. 

beacons  with  the  new  communication  range  information.  In  such  a  case,  the  sector  area  S)  (j )  is 
dependent  upon  the  communication  range  Ri(j)  at  the  jth  transmission,  i.e.  St (j )  =  Si(R(j),j). 
To  illustrate  the  ROI  reduction,  consider  figure  1.11(a),  where  locators  L±,L2  transmit  with  their 
maximum  power;  node  s  computes:  ROI{  1)  =  «Si(l)  fl  S^l).  In  figure  1.11(b),  locators  L\,L2 
reduce  their  communication  range  by  lowering  their  transmission  power  and  re-transmit  the  updated 
beacons.  While  locator  L\  is  out  of  range  from  node  s  and,  hence,  does  not  further  refine  the  node’s 
location,  s  can  still  hear  locator  L2  and  therefore,  reduce  the  size  of  the  ROI. 


Hybrid  approach 

The  combination  of  the  variation  of  the  antenna  orientation  and  communication  range  leads  to  a 
dual  dependency  of  the  sector  area  Si(9i(j),  R{j),  j).  Such  a  dependency  can  also  be  interpreted  as 
a  limited  mobility  model  for  the  locators.  For  a  locator  L*  moving  in  a  confined  area,  the  antenna 
orientation  and  communication  range  with  respect  to  a  static  node  varies,  thus  providing  the  node 
with  multiple  sector  areas  Si(j).  The  mobility  model  is  characterized  as  limited,  since  the  locator 
has  to  be  within  the  range  of  the  node  for  at  least  a  fraction  of  its  transmissions  in  order  to  provide 
the  necessary  localization  information.  The  algorithmic  details  of  HiRLoc  are  given  in  1.12 
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HiRLoc-I:  High-resolution  Robust  Localization  Scheme 


Li  :  broadcast  {  (X^Yf)  ||  (6^1(1), dit2(l))  ||  -Rj(l)} 
s  :  define  LHS  =  {L*  :  ||s  —  Li\\  <  -Rj(l)} 

s  .  define  A.s  —  [Xmax  R;  ( 1 ) ,  Xrn;n  -f -  Li;  ( 1 ) ,  Ymax  Li;  (1 ) ,  L  min  T  R%  (1)] 

S  :  store  S  S'j(l)  :  {  (W,y)  ||  (^(l),  0i)2(l))  ||  R*(1)},VL*  G  LHS 
j  =  1 

for  k  =  1  :  Q  —  1 
/or  w  =  1  :  N  —  1 

j  +  + 

L  reduce  R(j)  =  R(j  -  1)  - 

L  :  broadcast  {  (W,y)  ||  (6»i;i(j), 0*,2(j))  II  -R*(j)} 

s  :  S'  <-  5i(j)  :  {  PQ,  y)  ||  (Mi),  Mi))  II  VL;  :  ||s  -  Lr\\  <  Rt(j )  f)  Lt  g 

endfor 

j  +  + 

R.(j)  =  ^(1),  VLj  €  LHS 

L  rotate  0,(j)  =  {6>u(j  -  1)  +  ^,0^2(j  -  1)  + 

L  :  broadcast  Lt  :  {  (Xj,y)  ||  0ij2(j))  ||  Ri(j)} 

s  :  store  5  <-  S^j)  :  {  (Xu  Yt)  ||  02(j))  II  Ri{j)}^U  :  ||s  -  L<||  <  R(j)  0  U  €  LHt 

endfor 

s  :  compute  RO/  =  ni=i 


1  T  Localization  algorithm  (version  I). 

In  this  section,  we  explore  the  security  threats  against  HiRLoc,  that  can  occur  when  nodes  are 
deployed  in  an  untrusted  environment.  We  show  that  HiRLoc  has  equivalent  security  to  SeRLoc 
and  the  same  detection  and  prevention  mechanisms  can  be  employed. 

1.7.1  The  Wormhole  Attack 

Wormhole  attack  against  HiRLoc — antenna  orientation  variation 

An  adversary  launching  a  wormhole  attack  against  HiRLoc,  records  beacons  at  the  origin  point, 
and  replays  them  at  the  destination  point,  in  order  to  provide  false  localization  information.  Note 
that  since  in  step  1  of  HiRLoc,  the  node  determines  the  set  of  locators  LHS  that  are  within  range, 
and  accepts  future  transmissions  only  from  that  set  of  locators,  the  attacker  has  to  replay  the 
recorded  beacons  in  a  timely  manner,  i.e.  before  the  second  round  of  beacon  transmissions  occurs. 

Furthermore,  the  attacker  must  continue  to  forward  all  subsequent  beacon  transmissions  oc¬ 
curring  at  the  origin  point  due  to  the  antenna  orientation  variation,  in  order  to  compromise  the 
majority  vote  scheme  used  in  step  3,  and  displace  the  node.  For  example  if  each  locator  performs 
( Q  —  1)  antenna  rotations,  due  to  majority  voting  the  attacker  has  to  replay  more  than  Q\LHS\ 
beacons  corresponding  to  sectors  that  lead  to  a  ROI  different  than  the  node’s  location. 


Defending  against  the  wormhole  attack — antenna  orientation  variation 

All  beacons  considered  in  the  ROI  computation  originate  from  locators  Lj  €  LHS  determined 
in  step  1  of  HiRLoc.  To  avoid  node  displacement  the  node  must  be  capable  of  identifying  the 
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valid  set  of  locators  LHg  from  the  replayed  one,  LH J.  Since  the  set  LHS  is  defined  before  any 
antenna  rotation,  this  step  is  identical  to  the  LHS  determination  in  SeRLoc.  Hence,  the  mechanisms 
developed  for  SeRLoc  for  identifying  LHg  can  also  be  employed  in  the  case  of  HiRLoc. 


Wormhole  attack  against  HiRLoc — communication  range  variation 

When  HiRLoc  is  applied  with  the  communication  range  variation  option,  identifying  the  set  of 
valid  locators  from  the  replayed  ones  is  not  sufficient  to  prevent  wormhole  attacks.  Even  if  locator 
Li  belongs  to  the  valid  set  of  locators  LHg,  node  s  can  get  out  of  the  range  of  locator  Li,  when  L* 
reduces  its  communication  range.  Hence,  an  adversary  can  replay  beacons  from  valid  locators  as 
soon  as  the  node  under  attack  gets  out  of  the  communication  range  of  locators. 


Defending  against  the  wormhole  attack — communication  range  variation 

In  the  case  of  the  communication  range  variation  we  can  detect  a  wormhole  attack  using  the 
following  approach.  Instead  of  computing  the  ROI  after  the  collection  of  all  beacon  transmissions, 
the  node  computes  an  estimate  of  the  ROI{  1)  by  using  all  the  beacons  transmitted  with  the 
maximum  communication  range.  The  computation  of  the  ROI(  1)  is  identical  to  the  computation 
of  the  ROI  in  the  case  of  the  SeRLoc.  Once  the  initial  estimate  of  the  ROI(  1)  is  computed  robustly, 
any  subsequent  estimation  of  the  ROI(j)  must  intersect  with  the  initial  one.  Since  subsequent  ROI 
estimates  are  refinements  of  ROI{  1),  if  the  node  computes  a  ROI(j)  that  does  not  intersect  with 
the  initial  one,  it  detects  that  it  is  under  attack.  Hence,  an  adversary  can  only  hope  to  displace 
the  node  within  the  region  of  the  initial  estimation  of  the  ROI{  1). 

1.7.2  Sybil  Attack 

Sybil  attack  against  HiRLoc — antenna  orientation  variation 

In  order  for  an  attacker  to  impersonate  a  locator  and  provide  bogus  beacon  information  to  a  node 
s,  the  attacker  has  to,  (a)  compromise  the  globally  shared  key  I\q  used  for  the  beacon  encryption, 
(b)  acquire  a  published  hash  value  from  a  locator  not  directly  heard  by  the  node  s. 

Once  the  attacker  compromises  Kq,  it  can  record  a  beacon  from  a  locator  not  heard  by  s,  decrypt 
the  beacon  using  Kq,  alter  the  beacon  content,  and  forward  the  bogus  beacon  to  node  s.  Since  the 
node  does  not  directly  hear  the  transmission  from  the  impersonated  locator,  it  will  authenticate  the 
bogus  beacon.  By  impersonating  sufficient  number  of  locators,  the  attacker  can  forward  to  a  node 
s  a  higher  number  of  bogus  beacons  than  the  valid  ones,  compromise  the  majority  vote  scheme, 
and  displace  s. 


Defense  against  the  Sybil  attack 

Since  the  locators  are  randomly  distributed,  on  average,  each  node  will  hear  the  same  number  of 
locators.  Hence,  when  a  node  is  under  attack,  it  will  hear  an  unusually  high  number  of  locators 
(more  than  double  the  valid  ones).  We  can  use  our  knowledge  of  the  locator  distribution  to  detect 
the  Sybil  attack  by  selecting  a  threshold  value  Lmax  as  the  maximum  allowable  number  of  locators 
heard  by  each  node.  If  a  node  hears  more  than  Lmax  locators,  it  assumes  that  is  under  attack  and 
executes  ALCA  to  determine  its  position.  Since  ACLA  utilizes  the  pairwise  keys  K gl  to  identify 
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the  valid  set  of  locators,  the  Sybil  attack  will  not  be  successful,  unless  the  attacker  compromises 
locators. 


Sybil  attack  against  HiRLoc — communication  range  variation 

When  HiRLoc  uses  the  communication  range  variation  option,  an  adversary  launching  a  Sybil 
attack  can  also  impersonate  locators  Li  €  LHS  when  their  communication  range  is  reduced  so  that 
they  are  no  longer  heard  to  the  node.  In  such  a  case,  limiting  the  number  of  locators  heard  to 
a  maximum  allowable  number  does  not  guarantee  that  the  valid  beacons  will  be  more  than  the 
fabricated  ones.  In  order  to  avoid  node  displacement  we  follow  the  same  approach  as  in  the  case  of 
the  wormhole  attack  in  the  communication  range  variation  option.  The  node  computes  an  estimate 
of  the  ROI  by  using  only  the  beacons  with  the  maximum  communication  range  and  by  limiting 
the  number  of  locators  heard.  Once  the  initial  estimate  of  the  ROI  is  computed,  any  subsequent 
estimation  ROI(j)  has  to  intersect  with  the  initial  one.  Otherwise  the  node  detects  that  is  under 
attack  and  rejects  that  estimate.  Hence,  an  adversary  can  only  hope  to  displace  the  node  within 
the  region  of  the  initial  estimation  ROI(  1). 

1.7.3  Compromised  network  entities 

Network  entities  are  assumed  to  be  compromised  when  the  attacker  gains  full  control  over  their 
behavior.  While  an  attacker  has  no  incentive  to  compromise  nodes,  since  nodes  do  not  actively 
participate  in  the  localization  procedure,  compromise  of  a  single  locator  can  potentially  lead  to  the 
displacement  of  any  node  in  the  network,  as  we  analyzed  in  SeRLoc. 

An  adversary  compromising  a  locator  gains  access  to  both  the  globally  shared  key  Kq,  the 
master  key  KjJt  used  for  the  construction  of  all  the  pairwise  keys,  as  well  as  the  locator’s  hash 
chain.  During  the  execution  of  ACLA,  a  compromised  locator  can  displace  a  node  if  it  transmits 
from  a  location  that  is  closer  to  the  node  than  the  closest  valid  locator.  To  avoid  node  displacement 
by  a  single  locator  compromise,  we  strengthen  the  robustness  of  the  ACLA  algorithm  by  adopting 
the  Enhanced  Location  Resolution  Algorithm  (ELRA),  in  order  to  resolve  any  location  ambiguity. 
The  advantage  of  ELRA  is  that  it  involves  replies  from  more  than  one  locators,  so  that  a  single 
locator  compromise  is  not  sufficient  to  displace  a  node.  The  pseudo-code  of  ERLA  is  presented  in 
1.9. 


1.8  Performance  Evaluation 

In  this  section  we  compare  the  performance  of  SeRLoc  with  state-of-the-art  localization  techniques, 
namely  DV-Hop  [125],  Amorphous  localization  [123],  Centroid  localization  [57],  APIT  [86]  and  its 
theoretical  ideal  version  PIT  [86].  We  show  that  SeRLoc  has  superior  performance  in  localization 
error  and  requires  significantly  fewer  resources  than  other  methods.  We  also  show  that  SeRLoc  is 
robust  against  both  error  in  the  locators’  coordinates  and  estimation  of  the  antenna  sector  that 
includes  the  sensors. 
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Avg.  LE  for  randomly  distributed  sensor  networks  Avg.  LE  for  different  number  of  antenna  sectors  M 


(a)  (b) 

Figure  1.13:  (a)  Average  localization  error  LE  vs.  average  number  of  locators  heard  LH  for  a  network  of  |JV|  =  5,  000 
and  locator-to-sensor  ratio  -S  =  10.  (b)  LE  vs.  LH  for  varying  antenna  sectors. 


1.8.1  Simulation  Setup 

We  randomly  distributed  5,000  sensors  within  a  100x100  rectangular  area.  We  also  randomly  placed 
locators  within  the  same  area  and  computed  the  average  localization  error  as: 


(1.29) 


where  S  is  the  set  of  sensors,  ,?j  is  the  sensor  estimated  position,  Sj  is  the  real  position  and  r  is  the 
sensor-to-sensor  communication  range. 


1.8.2  Localization  Error  vs.  Locators  heard 

In  our  first  experiment,  we  investigated  the  impact  of  the  average  number  of  locators  heard  LH 
in  the  localization  error.  In  order  to  provide  a  fair  comparison  of  SeRLoc  with  other  methods,  we 
normalize  LH  for  SeRLoc  by  multiplying  LH  with  the  number  of  sectors  used.  For  example,  when 
LH  =  9,  with  SeRLoc  using  three  sectors,  every  sensor  hears  on  average  three  locators  and  not 
nine. 

In  figure  1.13(a),  we  show  the  LE  vs.  LH  with  SeRLoc  using  three  sectors  and  -p  =  10.  We 
observe  that  in  terms  of  location  estimation  alone,  SeRLoc  is  superior  to  all  other  range-independent 
algorithms  compared  [57,86,123,125].  Note  that  SeRLoc  achieves  a  localization  error  of  0.5r,  with 
very  few  locators  (LH  =  12  which  is  equivalent  to  four  locators  with  3-sectored  antennas).  To 
achieve  LE  =  0.5r,  we  need  a  locator  density  of  pl  =  =  0.0032  for  R  =  20. 


1.8.3  Localization  Error  vs.  Antenna  Sectors 

In  our  second  experiment,  we  examined  the  impact  of  the  number  of  antenna  sectors  M  on  the 
average  localization  error  LE.  In  figure  1.13(b),  we  show  the  LE  vs.  LH,  for  varying  number 
of  antenna  sectors.  We  can  observe  that  for  LH  =  3,  the  LE  is  comparable  for  all  values  of 
M.  However,  as  the  value  of  LH  increases,  the  LE  decreases  more  rapidly  for  higher  number  of 
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antenna  sectors,  due  to  the  fact  that  the  overlapping  region  becomes  smaller  when  the  antenna 
sectors  become  narrower. 

The  gain  in  the  localization  accuracy,  comes  at  the  expense  of  hardware  complexity  at  the 
locator,  since  more  complex  antenna  designs  have  to  be  employed  to  generate  the  sectoring.  Ad¬ 
ditionally,  errors  in  the  estimation  of  the  antenna  sector  where  a  sensor  is  included,  become  more 
frequent,  since  more  sensors  are  located  at  the  boundary  between  two  sectors. 

1.8.4  Localization  Error  vs.  Sector  Error 

Sensors  may  be  located  close  to  the  boundary  of  two  sectors  of  a  locator,  or  be  deployed  in  a  region 
with  high  multipath  effects.  In  such  a  case,  a  sensor  may  falsely  assume  that  it  is  located  in  another 
sector,  than  the  actual  sector  that  includes  it.  We  refer  to  this  phenomenon  as  sector  error  ( SE ) 
and  define  it  as: 

#  of  sectors  falsely  estimated 

SE  = - — - .  (1.30) 

A  sector  error  of  0.5  indicates  that  every  sensor  falsely  estimated  the  sectors  of  half  the  locators 
heard.  In  figure  1.14(a),  we  show  the  LE  vs.  the  SE  for  varying  LH ,  and  8-sector  antennas.  We 
observe  that  the  LE  does  not  grow  significantly  large  (larger  than  the  sensor  communication  range 
?’),  until  a  fraction  of  0.7  of  the  sectors  are  falsely  estimated. 

SeRLoc  algorithm  is  resilient  to  sector  error  due  to  the  majority  vote  scheme  employed  in 
the  determination  of  the  overlapping  region.  Even  if  a  significant  fraction  of  sectors  are  falsely 
estimated,  these  sectors  do  not  overlap  in  the  same  network  area  and  hence  a  score  low  in  the 
grid-sector  table. 

Note  that  the  for  a  SE  >  0.7,  LE  increases  with  LH.  When  the  SE  grows  beyond  a  threshold, 
the  falsely  estimated  sectors  dominate  in  the  location  determination.  As  LH  grows,  the  falsely 
estimated  overlapping  region,  shrinks  due  to  the  higher  number  of  overlapping  sectors.  Hence  the 
CoG  that  defines  the  sensor  estimated  location  gets  further  apart  than  the  actual  sensor  location. 

In  figure  1.14(b),  we  show  the  LE  vs.  SE  for  LH  =  10  and  varying  number  of  antenna  sectors. 
We  observe  that  the  narrower  the  antenna  sector  the  smaller  the  LE,  even  in  the  presence  of  SE. 
For  a  small  SE  the  overlapping  region  is  dominated  by  the  correctly  estimated  sectors  and  hence, 
shrinks  with  increasing  antenna  sectors.  For  large  SE  the  overlapping  region  is  dominated  by  the 
falsely  estimated  sectors  and  hence,  an  increase  in  LH  does  not  reduce  the  LE. 

Summarizing  our  findings  for  the  sector  error,  we  note  that  SeRLoc  is  resilient  to  sector  error 
due  to  the  majority  vote  mechanism  employed  in  the  overlapping  region  determination. 


1.8.5  Localization  Error  vs.  GPS  Error 

GPS,  or  any  alternative  localization  scheme  used  to  provide  locators  with  their  location,  may  have 
limited  accuracy.  To  study  the  impact  of  the  error  in  the  locators’  position,  on  LH,  we  induced 
a  GPS  error  ( GPSE )  to  every  locator  of  the  network.  A  value  of  GPSE  =  r  means  that  every 
locator  was  randomly  placed  at  a  circle  of  radius  r  centered  at  the  locator’s  actual  position. 

In  figure  1.15(a),  we  show  the  average  localization  error  LE  vs.  the  GPSE  in  units  of  r,  for 
varying  number  of  LH  when  locators  use  8-sector  antennas.  We  observe  that  even  for  large  GPSE 
the  LE  does  not  grow  larger  than  1.2 r.  For  example,  when  GPSE  =  1.8r  and  LH  =  3,  LE  =  1.1  r. 
According  to  figure  1.13(a),  DV-hop  and  amorphous  localization  require  LH  =  5  to  achieve  the 
same  performance  in  complete  absence  of  GPSE,  while  APIT  requires  LH  =  12  to  reduce  the 
LE  =  l.lr,  with  no  GPSE  induced  in  the  locators’  positions.  Note  that  once  the  GPSE  error 


31 


Avg.  LE  vs.  SE  -  8-sector  antenna 


Avg.  LE  vs.  SE  -  LH=10 


(a)  (b) 

Figure  1.14:  (a)  LE  vs.  sector  error  SE  for  varying  LH.  (b)  Average  localization  error  LE  vs.  sector  error  SE  for 
varying  number  of  antenna  sectors  for  a  network  of  IS1!  =  5,  000  and  -p  =  10. 

becomes  significantly  large  (over  1.6r)  an  increase  in  LH  does  not  improve  the  accuracy  of  the 
location  estimation. 

1.8.6  Communication  Cost  vs.  Locators  Heard 

In  this  section  we  analyse  the  communication  cost  of  SeRLoc  and  compare  it  with  the  communica¬ 
tion  cost  of  the  existing  range-independent  localization  algorithms.  In  figure  1.15(b),  we  show  the 
communication  cost  in  number  of  transmitted  messages  vs.  LH,  when  200  sensors  are  randomly 
deployed. 

We  observe  that  DV-hop  and  Amorphous  localization,  have  significantly  higher  communication 
cost  compared  to  all  other  algorithms,  due  to  the  flood-based  approach  for  the  beacon  propagation. 
The  centroid  scheme,  has  the  lowest  communication  cost  (|L|)  since  it  only  transmits  one  beacon 
from  each  locator  to  localize  the  sensor.  APIT  requires  \L\  +  |5|  beacons  to  localize  the  sensors, 
while  SeRLoc  requires  \ML\  number  of  beacons,  where  L  is  the  set  of  locators  and  M  is  the  number 
of  antenna  sectors. 

Under  the  assumption  that  the  number  of  sensors  is  much  higher  than  the  number  of  locators, 
(\S\  S>  |L|),  SeRLoc  has  a  smaller  communication  than  APIT,  since  SeRLoc  is  independent  of  the 
number  of  sensors  deployed.  In  addition,  SeRLoc  achieves  low  localization  error  for  smaller  values 
of  LH,  and  hence  requires  a  smaller  number  of  reference  points. 


1.8.7  HiRLoc:  Localization  error  vs.  Locators  heard  and  Communication  over¬ 
head 

In  our  first  experiment  for  HiRLoc,  we  examined  the  impact  of  the  average  number  of  locators 
heard  LH  on  the  localization  accuracy  of  HiRLoc  and  compared  it  with  the  state-of-the-art  range- 
independent  localization  algorithms. 

In  figure  1.16(a)  we  show  the  average  localization  error  LE  in  units  of  sensor  communication 
range  r  for  varying  number  of  locators  heard  at  each  sensor.  HiRLoc- AV  denotes  HiRLoc  that  uses 
antenna  orientation  variation  to  improve  upon  the  accuracy  of  the  location  estimate  of  sensors. 
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Avg.  LE  vs.  GPSE  -  8-sector  antenna 


Communication  cost  vs.  LH 


(a)  (b) 

Figure  1.15:  (a)  LE  vs.  locator  GPS  error  in  units  of  r  for  varying  average  number  of  locators  heard  LH.  (b) 
Communication  cost  vs.  LH,  for  a  network  of  200  sensors. 

HiRLoc-RV  denotes  HiRLoc  that  uses  communication  range  variation  to  improve  upon  the  accuracy 
of  the  location  estimate  of  sensors.  For  HiRLoc- AV  and  HiRLoc-RV,  we  performed  only  one  rotation 
of  the  antenna  at  each  locator  and  only  one  reduction  in  the  communication  range,  respectively 
and  used  3-sectored  antennas. 

We  can  observe  that  HiRLoc- AV  has  the  best  performance  among  all  algorithms  while  HiRLoc- 
RV  gives  the  second  best  performance.  The  localization  error  drops  rapidly  under  r  even  for  small 
values  of  LH  while  it  is  equal  to  LE  =  0.23r  for  LH  =  15. 2  HiRLoc- AV  is  superior  than  HiRLoc-RV 
for  the  same  value  of  LH,  since  in  HiRLoc- AV  locators  still  transmit  with  the  same  transmission 
power  once  their  antenna  has  been  rotated.  Hence,  the  same  set  of  locators  is  heard  at  each  sensor 
in  any  transmission  round.  On  the  other  hand,  in  HiRLoc-RV,  once  the  transmission  range  has 
been  reduced  some  of  the  locators  heard  in  the  previous  round  may  get  out  of  the  range  of  the 
sensor  and,  hence,  the  improvement  in  the  accuracy  of  the  location  estimation  using  HiRLoc-RV  is 
less  than  the  one  achieved  with  HiRLoc- AV. 

In  figure  1.16(b)  we  show  the  communication  cost  required  for  localization  in  number  of  trans¬ 
mitted  messages,  for  varying  average  localization  error  LE.  The  communication  cost  was  computed 
for  a  sensor  network  of  200  sensors.  Note  that  SeRLoc  and  HiRLoc  are  the  only  algorithms  whose 
communication  cost  is  independent  of  the  number  of  sensors  deployed.  All  other  algorithms  rely 
on  neighbor  sensor  information  to  estimate  the  sensor  location  and,  hence,  the  communication  cost 
grows  with  the  increase  of  the  size  of  the  sensor  network. 

We  observe  that  for  small  localization  error  (less  than  r)  HiRLoc  requires  less  messages  for 
localization  compared  to  all  other  algorithms.  This  result  seems  counter  intuitive,  since  each 
locators  in  our  experiment  had  to  transmit  twice  the  number  of  messages  compared  to  SeRLoc. 
However,  fewer  locators  were  required  in  order  to  achieve  the  desired  localization  accuracy,  and, 
hence,  the  overall  communication  cost  was  lower  for  HiRLoc.  As  the  required  localization  accuracy 
decreases  (above  r )  SeRLoc  becomes  more  efficient  than  HiRLoc,  since  it  can  achieve  good  precision 
with  a  relatively  small  number  of  locators.  It  is  important  to  note  that  though  HiRLoc  and  SeRLoc 
have  similar  performance  in  communication  overhead,  HiRLoc  needs  a  much  smaller  number  of 

2LH  =  15  corresponds  to  each  sensor  hearing  on  average  5  locators  since  locators  were  equipped  with  3-sectored 
antennas. 
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(a) 


(b) 


Figure  1.16:  (a)  Comparison  of  the  average  localization  error  in  units  of  sensor  communication  range  (r)  for 

varying  average  number  of  locators  heard  at  each  sensor.  SeRLoc,  HiRLoc-AV  and  HiRLoc-RV  use  three  sectored 
antennas.  One  locator  for  SeRLoc  and  HiRLoc  correspond  to  three  locators  for  all  other  algorithms.  HiRLoc-AV 
uses  only  one  antenna  rotation  and  HiRLoc-RV  uses  only  one  communication  range  reduction,  (b)  Comparison  of 
the  communication  overhead  in  number  of  transmitted  messages  for  varying  average  localization  error.  HiRLoc-AV 
uses  only  one  antenna  rotation  and  HiRLoc-RV  uses  only  one  communication  range  reduction. 

locators  to  achieve  the  same  localization  accuracy.  This  fact  becomes  evident  in  the  following 
experiments. 


1.8.8  HiRLoc:  Antenna  orientation  variation 

In  our  second  experiment  for  HiRLoc,  we  examined  the  impact  of  the  number  of  antenna  rotations 
on  the  size  of  the  ROI.  In  figure  1.17(a)  we  show  the  ROI  vs.  the  number  of  antenna  rotations, 
and  for  varying  LH,  when  3-sector  antennas  are  used  at  each  locator.  Note  that  the  ROI  is 
normalized  over  the  size  of  the  ROI  given  by  SeRLoc  denoted  by  ROI(l)  (no  antenna  rotation). 
From  figure  1.13(a),  we  observe  that  even  a  single  antenna  rotation,  reduces  the  size  of  the  ROI 
by  more  than  50%,  while  three  antenna  rotations  reduce  the  size  to  ROI (4)  =  0.12770/(1),  when 
LH  =  5.  A  reduction  of  50%  in  the  size  of  the  ROI  by  a  single  antenna  rotation  means  that 
one  can  deploy  half  the  locators  compared  to  SeRLoc  and  achieve  the  same  localization  accuracy 
by  just  rotating  the  antenna  system  at  each  locator  once.  The  savings  in  number  of  locators  are 
significant  considering  that  the  reduction  in  hardware  requirements  comes  at  no  additional  cost  in 
communication  overhead. 

We  also  observe  that  as  LH  grows  HiRLoc  does  not  reduce  the  ROI  by  the  same  percentage 
compared  to  lower  LH  =  5.  This  is  due  to  the  fact  that  when  the  number  of  locators  heard  at  each 
sensor  is  high,  SeRLoc  provides  an  already  good  estimate  of  the  sensor  location  (small  ROI )  and 
hence,  the  margin  for  reduction  of  the  ROI  size  is  limited. 

In  figure  1.17(b)  we  show  the  normalized  ROI  vs.  the  number  of  antenna  rotations,  and  for 
varying  number  of  antenna  sectors  at  each  locator.  As  in  the  case  of  high  LH,  when  the  antenna 
sectors  become  narrow  (16-sector  antennas)  SeRLoc  already  gives  a  very  good  location  estimate  and 
hence,  HiRLoc  does  not  provide  the  same  improvement  as  in  the  case  of  wider  sectors.  Furthermore, 
when  the  sectors  are  already  very  narrow,  it  would  be  expensive  to  develop  a  mechanism  that  would 
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HiRLoc-AV:  Antenna  orientation  variation 


HiRLoc-AV:  Antenna  orientation  variation 


(a) 


(b) 


Figure  1.17:  (a)  Normalized  ROI  vs.  number  of  antenna  rotations  for  varying  LH .  The  ROI  is  normalized  with 
respect  to  the  ROI  acquired  with  no  variation  of  the  antenna  orientation  (application  of  SeRLoc).  (b)  Normalized 
ROI  vs.  number  of  antenna  rotations  for  varying  size  of  antenna  sectors. 

rotate  the  antennas  at  each  locator  with  great  precision.  Hence,  HiRLoc  is  very  efficient  when  wide 
antenna  sectors  are  used  at  each  locator. 


1.8.9  HiRLoc:  Communication  Range  variation 

In  our  third  experiment  for  HiRLoc,  we  examined  the  impact  of  the  communication  range  variation 
on  the  size  of  the  (ROI).  In  figure  1.18(a)  we  show  the  normalized  ROI  vs.  the  number  of 
communication  range  variations,  and  for  different  LH  values,  when  3-sector  antennas  are  used  at 
each  locator.  Each  locator  transmits  beacons  at  four  different  communication  ranges. 

From  figure  1.18(a),  we  observe  that  the  communication  range  variation,  though  significantly 
improves  the  system  performance,  does  not  achieve  the  same  ROI  reduction  as  the  antenna  ori¬ 
entation  variation3.  This  behavior  is  explained  by  the  fact  that  the  gradual  reduction  of  the 
communication  range  reduces  the  number  of  beacons  heard  at  each  sensor,  in  contrast  with  the 
antenna  orientation  variation  case  where  the  same  number  of  locators  is  heard  at  the  sensors  at 
each  antenna  rotation.  In  addition,  we  observe  that  greater  ROI  reduction  occurs  when  the  LH 
at  each  locator  is  high.  This  is  justified  by  considering  that  a  higher  LH  allows  for  more  sectors 
with  lower  communication  range  to  intersect  and  hence,  smaller  ROI. 

In  figure  1.18(b),  we  show  the  normalized  ROI  vs.  the  number  of  communication  range  vari¬ 
ations,  and  for  varying  number  of  antenna  sectors  at  each  locator.  Though  the  ROI  reduction  is 
not  as  high  as  in  the  antenna  orientation  variation  case,  the  communication  range  variation  leads 
to  significant  performance  improvement.  As  in  our  previous  experiment,  narrower  antenna  beams 
give  a  good  location  estimate  and  hence,  has  smaller  margin  for  improvement. 

3The  comparison  is  valid  for  the  same  number  of  LH,  the  same  number  of  antenna  sectors  and  the  same  number 
of  variations  in  the  antenna  rotation  and  communication  range,  respectively. 
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HiRLoc-RV:  Communication  range  variation 


HiRLoc-RV:  Communication  range  variation 


Figure  1.18:  (a)  ROI  vs.  number  of  range  reductions  for  varying  LH.  The  ROI  is  normalized  with  respect  to 
the  ROI  acquired  with  no  variation  of  the  communication  range  (application  of  SeRLoc).  (b)  Normalized  ROI  vs. 
number  of  range  reductions  for  varying  size  of  antenna  sectors. 

1.9  Summary  of  Contributions 

We  introduced  the  problem  of  secure  localization  in  wireless  ad  hoc  and  sensor  networks.  We  pro¬ 
posed  a  range-independent,  decentralized  localization  scheme  called  SeRLoc,  that  allows  nodes  to 
determine  their  location  in  an  un-trusted  environment.  We  also  analytically  evaluated  the  prob¬ 
ability  of  spoofing  the  node’s  location  due  to  security  threats  such  as  the  wormhole  attack,  the 
Sybil  attack  and  compromise  of  network  entities,  and  showed  that  SeRLoc  provides  accurate  lo¬ 
cation  estimation  even  in  the  presence  of  those  threats.  In  doing  so,  we  used  the  geometric  and 
radio  range  information  to  detect  the  attacks  on  localization  scheme.  Our  simulation  studies  also 
show  that  SeRLoc  localizes  sensors  with  higher  accuracy  than  state-of-the-art  range-independent 
localization  schemes,  while  requiring  fewer  reference  points  and  lower  communication  cost.  Fur¬ 
thermore,  our  simulation  studies  showed  that  SeRLoc  is  resilient  to  sources  of  error  such  as  location 
error  of  reference  points  as  well  as  error  in  the  sector  determination.  We  also  presented  HiRLoc, 
a  high-resolution  localization  algorithm  that  provides  improved  localization  accuracy  compared  to 
SeRLoc,  while  it  preserves  the  robustness  against  attacks  and  does  not  require  additional  hardware 
resources. 


1.10  Appendix 

1.10.1  Choosing  the  system  parameters 

The  random  deployment  of  a  set  L  of  locators  with  a  density  Pl  =  ^  is  equivalent  to  a  sequence 
of  events  following  a  homogeneous  Poisson  point  process  of  rate  pl-  The  random  deployment  of  a 
set  S  of  nodes  with  a  density  ps  =  is  equivalent  to  a  random  sampling  of  the  deployment  area 
with  rate  ps  [71]. 
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Figure  1.19:  Computing  the  maximum  lower  bound  on  P(CR). 

Probability  of  hearing  more  than  k  locators 

Since  locators  are  randomly  deployed,  the  probability  for  a  locator  to  be  in  an  area  of  size  Ag 
is  pg  =  In  addition,  the  random  locator  deployment  implies  statistical  independence  between 
locators  being  within  a  network  region  Ag.  Hence,  the  probability  that  exactly  k  locators  are  in  Ag 
is  given  by  the  binomial  distribution. 

P{k  e  Ag)  =  -  Ps)|L|-fc-  (131) 

For  \L\  1  and  Ag  we  can  approximate  the  binomial  distribution  with  a  Poisson  distribution: 

P{k  g  Ag)  =  e~^|L|  =  e~pLAa.  (1.32) 

By  letting  Ag  =  irR 2  we  can  compute  the  probability  of  having  exactly  k  locators  inside  a  circle  of 
radius  R,  centered  at  the  sensor. 

P{\LHS\  =  k)=  (pLVT^k  e~PL*R\  (1.33) 

k\ 

Using  (1.33),  we  compute  the  probability  that  every  sensor  hears  at  least  k  locators.  The  random 
sensor  deployment  implies  statistical  independence  in  the  number  of  locators  heard  by  each  sensor 
and  hence: 

P(\LHS\  >  fc,  V  s)  =  (1  -  P(\LHS\  <  A;))151  =  (1  -  V  e-PL^R2^\s\_  (L34) 

i\ 

i= 0 


1.10.2  Maximizing  the  lower  bound  on  P{CR ) 

The  lower  bound  on  detection  probability  based  on  the  communication  range  constraint  property 
is  given  by: 

P(CR)  >  (l-e-pLAi)(l-e-pLAi).  (1.35) 

We  want  to  compute  the  values  of  A*,  At,  that  maximize  the  right  side  of  (1.35).  From  figure  1.19, 

rR  _  rR  _ 

Ai(x)  =  2  \/  R2  —  z2dz ,  Hj(x)  =  2  \j  R2  —  z2dz.  (1.36) 

J  R—x  J R+x— l 
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where  l  =  ||s  —  0\\.  Since,  both  Ai,Aj  are  expressed  as  function  of  x ,  the  lower  bound  LB(x)  on 
P(CR )  can  be  expressed  as: 

LB{x)  =  (1  -  e~pLMx))(l  -  e~pLA^x)).  (1.37) 

To  maximize  LB{x)  we  differentiate  over  x  and  set  the  derivative  equal  to  zero: 

LB'{x)  =  pLA'i{x)e-pLA^x)  +  pLA'j{x)e-pLA^x) 

-PL  (Ajx)  +  Aj(x))  e-pUM*)+M*)) 

=  pLA'i(x)  ^e~PLAi^  —  e~PL(Ai('x^+Aj(x^ 

+PlA!Jx)  (e~pLA^x)  -  e-pBM^+A^x))^  =  Q  (1.38) 

A  trivial  solution  to  LB'(x)  =  0  is  At(x)  =  0,  or  Aj(x)  =  0,  but  both  yield  a  minimum  rather  than 
a  maximum  ( LB(x )  =  0).  However  if  we  set  Ai{x)  =  Aj(x),  from  (1.36),  (1.36),  R+x  —  l  =  R  —  x  => 
x  =  |.  In  addition,  differentiating  (1.36),  (1.36)  and  evaluating  at  x  =  |  yields  A'(|)  =  — A'  (|). 
Hence,  for  Ai(x)  =  Aj(x ),  LB'(x)  =  0,  and  the  maximum  value  on  the  lower  bound  LB(x )  is 
achieved.  The  values  of  A{ ,  Aj  that  maximize  LB{x)  are, 

A*(x)  =  2  [  'Jr?  —  z2dz  =  x\J R?  —  x2  —  R2  tan^1  (  ^  j  (1.39) 

J  R—x  \  X  R  J 
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Chapter  2 


A  Graph  Theoretic  Framework  for 
Preventing  the  Wormhole  Attack  in 
Wireless  Ad  Hoc  Networks 


Infrastructureless  networks  such  as  wireless  ad  hoc  and  sensor  networks  rely  on  the  collaboration 
among  network  nodes  in  implementing  most,  if  not  all,  network  operations.  Moreover,  due  to  limited 
resources  of  the  wireless  devices,  algorithms  and  protocols  are  designed  and  implemented  to  allow 
distributed  collaborative  communication  and  computing  involving  multiple  nodes.  For  example, 
two  nodes  that  are  not  within  the  direct  communication  range  will  have  to  rely  on  intermediate 
nodes  to  exchange  messages,  thus  forming  multihop  networks. 

To  implement  distributed  algorithms  and  coordinate  the  cooperation  among  network  nodes,  a 
number  of  control  messages  need  to  be  exchanged  in  every  local  neighborhood.  For  example,  to 
deliver  protocol  status  updates,  nodes  broadcast  their  up-to-date  information.  In  addition,  the 
inherent  broadcast  nature  of  the  wireless  medium  significantly  reduces  the  energy  expenditure  for 
sending  an  identical  message  from  a  single  sender  to  multiple  receivers  within  the  same  neigh¬ 
borhood.  Hence,  broadcasting  is  an  efficient  and  frequent  operation  in  many  network  functions. 
However,  a  wireless  ad  hoc  network  may  be  deployed  in  hostile  environments,  where  network  nodes 
operate  un-tethered.  Moreover,  the  wireless  medium  exposes  any  message  transmission  to  a  re¬ 
ceiver  located  within  the  communication  range.  Hence,  in  a  wireless  environment,  it  is  critical  to 
secure  any  broadcast  transmission  from  a  node  to  its  immediate  neighbors.  A  node  receiving  a 
broadcast  transmission  must  verify  that  (a)  the  message  has  not  been  altered  in  transit  (integrity), 
(b)  it  originates  from  a  valid  and  identifiable  network  source  (authenticity),  (c)  the  message  is  not 
a  replay  of  an  old  transmission  (freshness)  and  that,  (d)  in  case  of  a  local  broadcast  intended  only 
for  immediate  neighbors,  that  the  source  lies  within  the  receiving  node’s  communication  range. 

Recently,  it  has  become  evident  that  verification  of  the  integrity,  authenticity  and  freshness  of 
a  message  via  cryptographic  methods,  is  not  sufficient  to  conclude  that  a  local  broadcast  message 
originated  from  a  one-hop  (immediate)  neighbor  of  the  receiving  node  [90,127,169].  In  this  paper, 
we  investigate  a  specific  type  of  attack,  known  as  the  wormhole  attack  [90,127,169].  Such  attacks 
are  relatively  easy  to  mount,  while  being  difficult  to  detect  and  prevent.  In  a  wormhole  attack,  an 
adversary  records  information  at  one  point  of  the  network  (origin  point),  tunnels  it  to  another  point 
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of  the  network  via  a  low-latency  link  (destination  point),  and  injects  the  information  back  into  the 
network.  Since  in  the  wormhole  attack  the  adversary  replays  recorded  messages,  it  can  be  launched 
without  compromising  any  network  node,  or  the  integrity  and  authenticity  of  the  communication, 
and  hence,  the  success  of  the  attack  is  independent  of  the  strength  of  the  cryptographic  method 
used  to  protect  the  communication.  In  addition,  the  lack  of  communication  compromise  makes  this 
type  of  attack  “invisible”  to  the  upper  network  layers  [90].  As  a  consequence,  using  a  wormhole 
attack,  an  adversary  can  lead  two  nodes  located  more  than  one  hop  away  into  believing  that  they  are 
within  communication  range  and  into  exchanging  information  as  if  they  were  immediate  neighbors. 

Several  approaches  have  been  presented  for  defending  against  the  wormhole  attack  [61,88-90, 
166,169].  The  solutions  proposed  attempt  to  bound  the  distance  that  any  message  can  travel  [90]  or 
securely  discover  the  set  of  one-hop  neighbors  [61,88,89,166,169].  In  this  paper,  we  show  that  any 
defense  mechanism  against  the  wormhole  attack  can  be  interpreted  by  a  graph  theoretic  framework. 
We  make  the  following  contributions. 


2.0.3  Our  Contributions 

We  present  a  graph  theoretic  framework  for  modeling  of  the  wormhole  attack  and  state  the  necessary 
and  sufficient  conditions  for  any  candidate  solution  to  prevent  such  an  attack.  We  show  that  any 
previously  proposed  methods  [61,88-90,166,169]  or  future  solutions  have  to  satisfy  our  conditions 
in  order  to  prevent  wormholes.  In  addition,  we  also  propose  a  cryptographic  mechanism  based  on 
keys  only  known  within  each  neighborhood,  which  we  call  local  broadcast  keys  (LBKs),  in  order 
to  secure  the  network  from  wormhole  attacks  and  show  that  our  solution  satisfies  the  conditions  of 
the  graph  theoretic  framework.  We  present  a  centralized  method  for  establishing  LBKs,  when  the 
location  of  all  the  nodes  is  known  to  a  central  authority  (base  station).  Furthermore,  we  propose  a 
decentralized  mechanism  for  LBK  establishment  that  defends  against  wormholes  with  a  probability 
very  close  to  unity.  Based  on  Spatial  Statistics  theory  [71],  we  provide  an  analytical  evaluation  of 
the  level  of  security  achieved  by  our  scheme  to  support  our  claims. 

Compared  to  previously  proposed  methods  [61,89,90],  our  solution  does  not  require  any  time 
synchronization  or  highly  accurate  clocks.  In  addition,  our  method  requires  only  a  small  fraction  of 
the  network  nodes  to  know  their  location.  Finally,  our  approach  is  based  on  symmetric  cryptography 
rather  than  expensive  asymmetric  cryptography  and  hence  is  computationally  efficient,  while  it 
requires  each  node  to  broadcast  only  a  small  number  of  messages  thus  having  a  small  communication 
overhead.  Due  to  its  efficiency,  our  method  is  applicable  to  ad  hoc  networks  with  very  stringent 
resource  constraints,  such  as  wireless  sensor  networks. 


2.1  Problem  Statement 

In  this  section,  we  present  the  wormhole  attack  model  and  illustrate  how  a  wormhole  attack  can 
significantly  impact  the  performance  of  network  protocols,  such  as  routing,  and  applications  of 
wireless  ad  hoc  networks,  such  as  monitoring.  We  then  abstract  the  problem  using  graph  theory 
and  provide  the  necessary  and  sufficient  conditions  to  prevent  the  wormhole  attack.  Throughout 
the  rest  of  the  paper,  we  will  use  the  terms  wormhole  attack  and  wormhole  problem  interchangeably 
to  refer  to  a  network  with  wormhole  links. 
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2.1.1  Wormhole  Attack  Model 

To  launch  a  wormhole  attack,  an  adversary  initially  establishes  a  low-latency  link  between  two 
points  in  the  network.  We  will  refer  to  the  attacker’s  link  as  wormhole  link  or  simply  wormhole. 
Once  the  wormhole  link  is  established,  the  attacker  eavesdrops  on  messages  at  one  end  of  the  link, 
referred  to  as  the  origin  point ,  tunnels  them  through  the  wormhole  link,  and  replays  them  at  the 
other  end  of  the  link,  referred  to  as  the  destination  point. 

If  the  distance  separation  between  the  origin  point  and  destination  point  is  longer  than  the 
communication  range  of  the  nodes,  any  node  at  the  origin  point  will  rely  on  multi-hop  paths  to 
communicate  with  nodes  at  the  destination  point.  Hence,  the  attacker  can  use  the  low-latency  link 
to  re-broadcast  recorded  packets  at  the  destination  point  faster  than  they  would  normally  arrive  via 
the  multi-hop  route.  A  low-latency  link  can  be  realized  with  a  wired  connection,  an  optic  connection, 
a  long-range,  out-of-band  wireless  directional  transmission,  or  even  a  multi-hop  combination  of  any 
of  the  aforementioned  types  of  connections,  as  long  as  the  latency  in  the  wormhole  path  is  less  than 
or  equal  to  the  latency  in  the  legitimate  multi-hop  path. 

In  a  wormhole  attack,  the  devices  and  wormhole  links  deployed  by  the  adversary  do  not  become 
part  of  the  network.  The  devices  used  to  mount  the  attack  do  not  need  to  hold  any  valid  network 
Ids  and,  hence,  the  adversary  does  not  need  to  compromise  any  cryptographic  quantities  or  network 
nodes  in  order  to  perform  the  attack.  Any  key  used  by  valid  network  nodes  for  encryption  remains 
secret,  and  the  integrity  and  authenticity  of  the  replayed  messages  is  preserved.  The  lack  of  need 
to  compromise  any  valid  network  entity  makes  the  wormhole  attack  “invisible”  to  the  upper  layers 
of  the  network  [90].  Furthermore,  the  adversary  need  not  allocate  computational  resources  for 
compromising  the  communications,  thus  making  the  wormhole  attack  very  easy  to  implement. 

The  assumption  of  not  compromising  the  network  communications  is  a  reasonable  one  since 
if  the  adversary  were  to  gain  access  to  cryptographic  keys  used  in  the  network,  it  would  have  no 
need  to  record  messages  at  one  part  of  the  network,  tunnel  them  via  a  direct  link,  and  replay 
them  to  some  other  part  of  the  network.  Instead,  the  adversary  can  use  the  compromised  keys 
to  fabricate  any  message  and  inject  it  into  the  network  as  legitimate.  Using  compromised  keys  to 
impersonate  a  valid  node,  and  fabricate  and  inject  bogus  messages  into  the  network,  known  as  the 
Sybil  attack  [74, 124],  is  overall  a  different  problem  than  the  wormhole  attack  and  is  not  addressed 
in  this  paper.  We  present  our  reasoning  on  assuming  non-compromise  of  cryptographic  keys  and 
nodes  in  our  discussion  in  Section  2.7. 

Finally,  in  our  wormhole  attack  model,  we  assume  that  the  adversary  does  not  launch  any 
Denial-of-Service  (DoS)  attacks  against  network  entities.  The  goal  of  the  adversary  is  to  remain 
undetected  and,  hence,  DoS  attacks,  such  as  jamming  of  the  communication  medium  as  well  as 
battery  exhaustion  attacks,  are  not  performed  by  an  adversary  mounting  a  wormhole  attack.  We 
now  present  examples  on  the  impact  of  a  wormhole  attack  on  network  protocols. 

2.1.2  Wormhole  Threat  Against  Network  Protocols 
Wormhole  attack  against  routing  protocols 

Ad  hoc  network  routing  protocols  can  be  classified  into  periodic  protocols  [54, 122, 130]  and  on- 
demand  protocols  [92, 129].  In  periodic  protocols,  every  node  is  aware  of  the  routing  path  towards 
any  destination  at  any  given  time  and  periodically  exchanges  information  with  its  neighbors  to 
maintain  the  best  network  routes.  In  on-demand  protocols,  a  routing  path  is  discovered  only  when 
a  node  wants  to  send  messages  to  some  destination.  A  wormhole  attack  can  affect  both  categories 
of  routing  protocols  in  the  following  ways. 
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Wormhole  tunnel 


(a) 


(b) 


Figure  2.1:  (a)  Wormhole  attack  on  a  distance  vector-based  routing  protocol,  (b)  Wormhole  attack  against  an 
on-demand  routing  protocol. 


Periodic  Protocols 

Periodic  protocols  are  based  on  the  distance  vector  routing  algorithm,  which  was  initially  proposed 
for  wired  networks  [49].  In  distance  vector  routing,  each  node  stores  a  routing  table  that  contains 
for  each  possible  destination  the  associated  routing  cost,  usually  in  number  of  hops,  and  the  corre¬ 
sponding  next  hop  towards  that  destination.  Periodically,  or  when  a  route  change  occurs,  each  node 
broadcasts  its  routing  table  in  order  to  inform  its  neighbors  about  possible  route  changes.  Every 
node  that  receives  a  route  update  adjusts  its  own  routing  table  based  on  the  broadcast  received 
from  the  neighboring  nodes. 

As  an  example,  consider  figure  2.1(a)  which  shows  an  ad  hoc  network  of  13  nodes.  In  figure 
2.1(a),  a  node  s*  is  connected  to  a  node  Sj  if  the  distance  between  them  is  less  than  the  communi¬ 
cation  range  r.  Consider  an  attacker  establishing  a  wormhole  link  between  nodes  sg  and  s 2,  using 
a  low-latency  link.  When  node  sg  broadcasts  its  routing  table,  node  s 2  will  hear  the  broadcast  via 
the  wormhole  and  assume  it  is  one  hop  away  from  sg.  Then,  s 2  will  update  its  table  entries  for 
node  sg,  reachable  via  one  hop,  nodes  {ss,  sio,  sn,  S12},  reachable  via  two  hops,  and  broadcast  its 
own  routing  table.  Similarly,  the  neighbors  of  S2  will  adjust  their  own  routing  tables.  Note  that 
nodes  {si,  s 3,  S4,  S5,  S7}  now  route  via  sg  to  reach  any  of  the  nodes  {sg,  sio,  sn,  S12}. 


On-demand  Protocols 

A  wormhole  attack  against  on-demand  routing  protocols  can  result  in  similar  false  route  establish¬ 
ment  as  in  the  case  of  periodic  protocols.  Consider  the  route  discovery  mechanism  employed  in 
DSR  [92]  and  AODV  [129]  protocols.  A  node  A  initiates  a  route  discovery  to  node  B  by  broadcast¬ 
ing  a  route  request  message.  All  nodes  that  hear  the  route  request  message  will  re-broadcast  the 
request  until  the  destination  B  has  been  discovered.  Once  the  destination  B  is  reached,  node  B  will 
respond  with  a  route  reply  message.  The  route  reply  message  will  follow  a  similar  route  discovery 
procedure,  if  the  path  from  B  to  A  has  not  been  previously  discovered.  If  an  attacker  mounts  a 
wormhole  link  between  the  route  request  initiator  A  and  the  destination  B,  and  if  A,  B  are  more 
than  one  hop  away,  then  a  one-hop  route  via  the  wormhole  will  be  established  from  A  to  B. 

As  an  example,  consider  figure  2.1(b)  which  is  the  same  topology  as  in  figure  2.1(a).  Consider 
that  the  attacker  establishes  a  wormhole  link  between  nodes  s g  and  s 2  and  assume  that  node 
sg  wants  to  send  data  to  node  s 2.  When  node  s g  broadcasts  the  route  request ,  the  attacker  will 
forward  the  request  via  the  wormhole  link  to  node  S2-  Node  s 2  will  reply  with  a  route  reply  and 
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Figure  2^ 2:,  Woraihole  attack  against  a  local  broadcast  protocol.  . 

the  attacker  using  wormhole  link  will  forward  the  reply  to  node  sg.  At  this  point,  nodes  S2,  sg  will 
establish  a  route  via  the  wormhole  link,  as  if  they  were  one  hop  neighbors.  Similarly,  if  any  of  the 
nodes  {si,  S3,  S4,  S5,  S7}  wants  to  send  data  to  any  of  the  nodes  {sg,  sio,  sn,  S12},  the  routing  paths 
established  will  include  the  wormhole  link. 

From  our  examples  and  the  existing  literature  [90],  we  note  that  the  existence  of  wormhole 
links  impacts  the  network  routing  service  performance  in  the  following  three  ways:  (1)  nodes  can 
become  sinkholes  [94]  without  even  being  aware  that  they  are  victims  of  a  wormhole  attack  (as 
noted  in  both  figures  2.1(a),  and  2.1(b),  nodes  S2,S9  become  sinkhole  nodes  and  attract  all  traffic 
from  surrounding  nodes).  Hence,  a  significant  amount  of  traffic  is  routed  through  the  wormhole 
link  and  the  attacker  can  control  and  observe  a  significant  amount  of  traffic  flow  without  the  need 
to  deploy  multiple  observation  points.  (2)  If  an  attacker  kept  the  wormhole  link  functional  at  all 
times  and  did  not  drop  any  packets,  the  wormhole  would  actually  provide  a  useful  network  service 
by  expediting  the  packet  delivery.  However,  by  selectively  dropping  packets,  the  attacker  can  lower 
the  throughput  of  the  network.  (3)  Furthermore,  by  simply  switching  the  wormhole  link  on  and 
off,  the  attacker  can  trigger  a  route  oscillation  within  the  network,  thus  leading  to  a  DoS  attack, 
driving  the  routing  service  to  be  unusable. 


Wormhole  attack  against  local  broadcast  protocols 

In  many  applications,  nodes  need  to  communicate  some  information  only  within  their  neighbor¬ 
hood.  For  example,  in  localization  protocols  [105,146,148],  nodes  determine  their  location  based  on 
information  provided  by  the  neighbors.  In  wireless  sensor  networks,  sensors  performing  monitoring 
(for  example  tracking  the  movement  of  an  object),  may  broadcast  local  measurements  to  a  central 
node  or  clusterhead  that  estimates  target  related  parameters,  such  as  location  and  velocity  of  the 
target.  In  such  applications,  false  local  information  can  lead  to  significant  performance  degradation 
of  the  estimation  algorithms.  Currently,  all  the  tracking  algorithms  assume  that  the  input  data  is 
noisy  and  at  times  may  use  cryptographic  mechanisms  to  verify  the  authenticity  of  the  data. 

As  an  example,  consider  the  setup  in  figure  2.2,  where  sensor  node  si  is  responsible  for  triggering 
an  alarm  in  region  A,  if  the  temperature  in  region  A  rises  above  a  certain  threshold.  Let’s  assume 
that  sensor  s\  makes  use  of  a  majority-based  algorithm  that  triggers  the  alarm  if  the  majority  of 
its  immediate  neighbors  report  temperature  measurements  above  a  specific  threshold.  Assume  that 
an  attacker  records  the  temperature  broadcasts  from  region  B  and  re-broadcasts  the  data  to  region 
A  via  the  wormhole  link.  If  the  number  of  distinct  measurements  replayed  via  the  wormhole  link 
exceeds  the  collected  distinct  measurements  from  region  A ,  the  temperature  in  region  A  may  never 
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impact  the  decision  to  trigger  the  alarm  in  A. 

From  the  above  examples,  we  note  that  in  order  to  prevent  the  wormhole  attack,  there  must 
be  some  mechanism  to  ensure  that  any  transmission  received  by  a  node  s  indeed  originates  from 
a  valid  one-hop  neighbor  of  s  that  is  located  within  its  communication  range.  We  now  show  that 
these  ideas  can  be  formalized  using  a  graph  theoretic  framework. 


2.1.3  Graph  theoretic  formulation  of  the  wormhole  problem  and  its  solution 

Consider  an  ad  hoc  network  deployed  with  any  node  i  having  a  communication  range  r.  Such  a 
network  can  be  modeled  as  a  geometric  graph  [128],  defined  as  follows: 


Definition  1  - Geometric  Graph-Given  a  finite  set  of  vertices  V  C  lZd  (d  =  2,  for  planar  graphs), 
we  denote  by  G(V,  r)  the  undirected  graph  with  vertex  set  V  and  with  undirected  edges  connecting 
pairs  of  vertices  ( i,j )  with  ||i  —  j\\  <  r,  where  ||  .  ||  is  some  norm  on  lZd  [128].  The  entries  of  the 
edge,  or  connectivity  matrix,  denoted  by  e,  are  given  by 


e(i,j ) 


i,  if  IK  —  ill  <  ^ 

o,  if  IK -ill  >  r. 


(2.1) 


Geometric  graphs  have  long  been  considered  a  useful  model  for  deriving  insightful  analytic 
results  in  wireless  ad  hoc  networks  [50,65,75,76].  The  network  protocols  developed  for  ad  hoc  net¬ 
works  are  implicitly  designed  based  on  the  geometric  graph  model.  For  example,  routing  algorithms 
assume  that  for  two  nodes  that  are  not  within  communication  range,  a  multi-hop  route  must  be 
constructed.  In  addition,  the  networking  protocols  define  one-hop  neighbors  of  an  arbitrary  node 
s  as  those  nodes  that  can  directly  hear  any  broadcast  transmission  from  node  s.  However,  the 
existence  of  wormhole  links  violates  the  model  in  (2.1)  by  allowing  direct  links  longer  than  r,  thus 
transforming  the  initial  geometric  graph  G(V,r )  into  a  logical  graph  G(V,Eq),  where  arbitrary 
connections  can  be  established.  Hence,  even  a  single  non-trivial  wormhole  will  always  result  in 
a  communication  graph  with  increased  number  of  ones  in  the  binary  connectivity  matrix  com¬ 
pared  to  the  connectivity  matrix  of  the  wormhole-free  communication  graph.  We  now  formalize 
the  wormhole  problem  based  on  the  geometric  graph  property  expressed  in  (2.1). 

Wormhole  problem:  A  network  is  vulnerable  to  the  wormhole  attack  if  there  exists  at  least  one 
edge  e(i,j )  such  that  e(i,j)  =  1  for  ||z  —  j\\  >  r,  where  r  is  the  communication  range  of  nodes. 

Any  candidate  solution  to  the  wormhole  problem  should  construct  a  communication  graph 
G'(V,Eg'),  where  no  link  longer  than  r  exists.  Any  edge  e(i,j )  of  the  communication  graph 
G'(V,Eq> )  satisfies  (2.1),  and  hence,  the  communication  graph  solving  the  wormhole  problem  will 
always  be  a  subgraph  of  the  geometric  graph  of  the  network,  i.e.  G'(V,Eg')  C  G(V,r).  figure  2.3 
graphically  represents  the  extraction  of  the  wormhole- free  communication  graph  G' (V,  Eq>)  from 
the  wormhole-infected  graph  G(V,Eq)  via  the  application  of  a  transformation  S  :  G  x  G  — >•  G' , 
when  the  geometric  graph  G(V,r )  is  known. 

Note  that  the  wormhole  infected  graph  G,  the  geometric  graph  G,  and  the  communication  graph 
G' ,  have  the  same  set  of  vertices  V  since,  as  mentioned  in  Section  2.1.1,  the  devices  deployed  by 
the  adversary  launching  a  wormhole  attack  do  not  become  part  of  the  network  (they  do  not  acquire 
valid  network  identities).  Also,  note  that  the  sets  of  edges  Er,  Eqi ,  Eq  are  determined  based  on 
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G(V,  r) 


G(V,  E~) 


S(G,  G ) 


nr 

G\V,  Eg) 


Figure  2.3:  The  wormhole  embedded  graph  theoretic  model.  The  wormhole-infected  graph  G(V. ,  Eq)  is  transformed 
via  a  solution  S(G,  G )  into  a  communication  graph  G'(V,  Eq/),  with  Eqi  C  Eg. 


fixed  node  locations.  If  the  nodes  of  the  network  are  mobile,  the  set  of  edges  on  each  graph  may 
change  according  to  the  node  locations  at  any  given  time.  Despite  the  changing  network  topology, 
at  any  time  and  for  a  given  location,  any  valid  solution  to  the  wormhole  problem  should  construct 
a  communication  graph  that  is  a  subgraph  of  the  geometric  graph.  We  now  formalize  the  necessary 
and  sufficient  condition  for  solving  the  wormhole  problem  in  the  following  theorem. 

Theorem  1  Given  a  geometric  graph  G(V,r)  defined  as  in  (2.1),  and  an  arbitrary  logical  graph 
G{V,Eq),  a  transformation  S  :  G  x  G  — >•  G’  of  G(V,Eq)  into  a  communication  graph  G'(V,EGi ) 
is  a  solution  to  the  wormhole  problem  iff  the  set  of  edges  of  G'  is  a  subset  of  the  set  of  edges  of  the 
G(V,r),  i.e.  EG,  C  EG. 

Proof  6  Assume  that  G’  =  S(G,G)  prevents  the  wormhole  attack.  Let  Cx  denote  the  connectivity 
matrix  of  graph  X.  If  EG>  EG,  there  exists  a  pair  of  nodes  ( i,j )  for  which:  CG(i,j )  =  0  and 
CGi(i,j)  =  1.  For  such  node  pairs,  e(i,j )  =  1,  with  \\i  —  j ||  >  r,  and  the  communication  range 
constraint  is  violated.  Hence,  in  order  for  S(G,G)  to  prevent  the  wormhole  attack,  it  follows  that 
Eg>  C  Eg. 

The  converse  follows  immediately.  If  EG>  C  EG,  then  CGfii,j)  <  CG{i,j),\/i,j  €  V.  Hence, 
there  is  no  edge  e'(i,j)  €  EGt  such  that  e'(i,j )  =  1,  ||i  —  j\\  >  r,  and  the  graph  G'  is  wormhole  free. 

Note  that  a  trivial  graph  G'  with  no  links  (EGr  =  0)  satisfies  the  conditions  of  the  Theorem 
1.  However,  to  ensure  communication  between  all  network  nodes,  we  seek  solutions  that  construct 
a  connected  subgraph  of  G.  A  necessary  but  not  sufficient  condition  for  a  connected  subgraph  to 
exist  is  that  the  original  graph  G  is  also  connected. 

We  also  note  that  the  transformation  G'  =  S{G,G)  requires  the  knowledge  of  the  geometric 
random  graph  G(V,  r),  defined  by  the  location  of  the  vertices,  and  the  communication  range  r. 
When  nodes  do  not  have  a  global  view  of  the  network  (know  the  location  of  other  nodes),  to  verify 
Theorem  1,  an  alternative  way  to  construct  a  connected  subgraph  of  the  geometric  random  graph 
G(V,  r )  must  be  developed.  If  the  geometric  graph  can  be  constructed,  all  wormhole  links  can  be 
eliminated  using  corollaries  1,  2. 
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Corollary  1  We  can  identify  and  eliminate  the  wormhole  links  of  a  logical  graph  G(V,  Eq)  by  per¬ 
forming  an  exclusive  or  (XOR)  operation  between  the  connectivity  matrices  of  G  and  the  geometric 
graph  G(V,r),  corresponding  to  the  set  of  vertices  V  and  communication  range  r. 

To  illustrate  how  we  can  identify  the  wormhole  links  using  Corollary  1,  consider  the  network  of 
figure  2.1(a).  Each  row  i  of  the  connectivity  matrix  denotes  the  links  of  node  i  (we  have  assumed 
that  links  between  nodes  are  bi-directional).  Using  the  notation  Cx(i )  for  the  row  vector  of  matrix 
Cx  corresponding  to  the  node  st,  the  row  vectors  corresponding  to  node  s 2,  for  the  connectivity 
matrices  Cq,  and  Cq  are 

Cq{  2)  =  [1  01110001000  0],  (7g  (2)  =  [1  01110000000  0]. 

By  performing  an  XOR  operation  between  Cq,Cg,  we  can  identify  all  wormhole  links  and  corre¬ 
sponding  nodes  that  are  affected  by  the  non-zero  entries  in  matrix  (Cq  ©  Cq)  ■  In  figure  2.1(a),  the 
second  row  of  the  matrix  Cq  ©  Cq  resulting  from  the  XOR  operation  is 

(Cq  ©  CG)  (2)  =  [0  0  0  0  0  0  0  0  1  0  0  0  0]  ,  (2.2) 

and  a  wormhole  link  exists  between  node  S2  and  node  j  for  which  (Cq  ©  Cq)  (2,  j)  =  1.  In  our 
example  the  wormhole  link  between  node  S2  and  node  sg  is  successfully  identified. 

Note  that  according  to  Theorem  1  any  connected  subgraph  of  G(V,  r)  is  sufficient  to  prevent  any 
wormhole  attack.  For  a  subgraph  of  G(V,  r)  an  XOR  operation  may  identify  valid  links  of  G(V,  r) 
as  wormhole  links.  However,  along  with  the  false  positives,  all  the  wormhole  links  are  detected.  For 
example,  consider  a  subgraph  G'(V,Eqi )  C  G(V,r )  for  the  network  of  figure  2.1(a),  for  which  node 
sg  is  not  connected  to  node  S3.  For  the  subgraph  G' ,  the  second  row  of  the  connectivity  matrix  is 

(7g' (2)  =  [1  0  0  1  1  0  0  0  0  0  0  0  0],  (Cq®  Cg>)  (2)  =  [0  0  1  0  0  0  0  0  1  0  0  0  0]  . 

By  performing  an  XOR  operation  between  Cq,  Cq'  ,  we  identify  all  wormhole  links  (link  from  node 
S2  to  node  sg)  and  some  false  positives  (link  from  node  S2  to  node  S3).  Eliminating  both  the 
wormhole  links  and  the  false  positives  to  construct  graph  G'  is  an  acceptable  solution  as  long  as  G' 
is  a  connected  graph.  We  summarize  the  wormhole  elimination  in  Corollary  2. 

Corollary  2  We  can  identify  and  eliminate  the  wormhole  links  of  a  logical  graph  G(V,  Eq)  by  per¬ 
forming  an  exclusive  or  (XOR)  operation  between  the  connectivity  matrices  of  G  and  any  subgraph 
G'(V',E'q)  of  G(V,r),  where  G(V,r)  is  the  geometric  random  graph  corresponding  to  the  set  of 
vertices  V  and  communication  range  r. 

Theorem  1  and  corollaries  1,  2,  provide  the  necessary  framework  to  detect  and  prevent  any 
wormhole  attack.  We  will  specifically  utilize  them  in  the  context  of  geometric  random  graphs,  since 
we  assume  that  our  network  is  randomly  deployed.  Based  on  our  graph  theoretic  formulation,  the 
wormhole  problem  can  be  reduced  to  the  problem  of  constructing  a  communication  graph  that 
is  a  connected  subgraph  of  the  geometric  random  graph,  without  the  explicit  knowledge  about 
the  geometric  graph.  Before  we  present  our  solution  on  constructing  a  subgraph  of  the  geometric 
random  graph,  we  describe  the  needed  network  model  assumptions. 
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2.2  Network  Model  Assumptions 


Network  deployment 

We  assume  that  the  network  consists  of  a  large  number  of  nodes,  randomly  deployed  within  the 
network  region  A.  We  also  assume  that  a  small  fraction  of  network  nodes,  called  guards,  is  assigned 
special  network  operations.  Network  nodes  are  deployed  with  a  density  ps  while  guards  are  deployed 
with  a  density  pg,  with  ps  2>  pg- 


Antenna  model 

We  assume  that  the  guards  can  transmit  with  higher  power  than  regular  nodes  and/or  are  equipped 
with  different  antenna  types.  Specifically: 

(a)  Network  nodes  -  We  assume  that  network  nodes  are  equipped  with  omnidirectional  antennas 
and  transmit  with  a  power  Ps.  The  directivity  gain  of  the  node  antenna  is  Ds  =  1. 

(b)  Guards  -  We  assume  that  guards  can  transmit  with  a  power  Pg  >  Ps.  We  also  assume  that 
guards  can  be  equipped  with  either  omnidirectional  or  directional  antennas,  with  a  directivity  gain 

Dg  >=  1. 

Based  on  the  antenna  model  assumptions,  both  symmetric  as  well  as  asymmetric  modes  of 
communication  between  different  network  nodes  are  possible.  Let  the  signal  attenuation  over 
space  be  proportional  to  some  exponent  7  of  the  distance  d  between  two  nodes,  times  the  antenna 
directivity  gain  D  €  {Ds,  Dg},  i.e.  p5-  =  cD2d1 ,  with  2  <  7  <  5,  where  c  denotes  the  proportionality 
constant  and  Pr  denotes  the  minimum  required  receive  power  for  communication.  If  rnn  denotes 
the  node-to-node  communication  range  and  rng  denotes  the  node-to-guard  communication  range, 
then  [47], 

-p1  =  cD2s(rnny  =  c(rnn)y,  j2-  =  cDsDg(rngy  =  cDg(rng)! .  (2.3) 

1 

From  (2.3),  it  follows  rng  =  rnn(Dg)~i .  Similarly,  if  rgn  denotes  the  guard-to-node  communication 

range  (guards  transmit  with  Pg  >  Ps  and  hence,  rgn  >  rng ),  the  guard-to-guard  communication 

2 

range  rgg  is  equal  to  rgg  =  rgn(Dg)"< .  For  notational  simplicity,  we  will  refer  to  the  node-to  node 
communication  range  as  rnn  =  r,  the  guard-to-node  communication  range  as  rgn  =  R ,  and  the 
guard  directivity  gain  as  D.  Table  2.1  summarizes  the  four  possible  communication  modes  with 
appropriate  ranges  indicated. 

Table  2.1:  The  four  communication  modes  between  nodes  and  guards.  Each  entry  denotes  the  range  of  communi¬ 
cation  for  that  mode. 


Receiver 

Sender 

Node 

Guard 

Node 

r 

1 

rDi 

Guard 

R 

RD~ 

The  assumption  that  guards  are  able  to  transmit  with  higher  power  than  network  nodes  is  a 
reasonable  one,  especially  for  low-power  networks  such  as  sensor  networks.  A  typical  sensor  has 
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a  communication  range  from  3  ~  30m  with  a  transmission  power  of  Ps  =  0.75 mW  [118].  Hence, 
guards  need  to  transmit  with  a  power  Pg  =  75 mW  to  achieve  a  communication  range  ratio  y  =  10 
when  7  =  2  even  without  the  use  of  directional  antennas. 

Note  that  we  have  assumed  that  the  communication  range  of  both  the  guards  and  the  nodes 
does  not  vary  with  direction  and  the  environment  (unit  disk  graph  model).  This  assumption  has 
been  made  to  facilitate  the  derivation  of  analytical  expressions  quantifying  the  level  of  security 
achievable  by  our  method1.  Clearly,  while  the  unit  disk  model  provides  theoretical  performance 
bounds,  knowledge  of  the  statistics  of  the  variation  of  the  communication  range  is  needed  to  provide 
a  more  robust  approach.  We  discuss  the  effect  of  the  variation  of  the  communication  range  due 
to  the  heterogeneity  of  the  wireless  medium  in  Section  1.8  and  present  performance  evaluation 
analysis  that  takes  the  variation  into  account. 


Resource  constraints 

We  assume  that  network  nodes  are  resource  limited  in  the  following  ways: 

(a)  Due  to  hardware  limitations  (lack  of  GPS  receiver),  nodes  may  not  know  their  location 
at  all  times.  In  addition,  due  to  limited  resource-constraints,  generic  nodes  may  not  attempt  to 
determine  their  location.  However,  we  assume  that  guards  do  know  their  location  either  through 
GPS  [87]  or  through  some  other  localization  method  [146,148]. 

(b)  We  also  assume  that  due  to  hardware  limitations,  there  is  no  time  synchronization  between 
the  network  nodes  or  the  guards.  In  addition,  nodes  do  not  posses  hardware  to  perform  highly 
accurate  time  measurements  in  the  nanoseconds. 

(c)  Due  to  computational  power  limitations,  network  nodes  cannot  perform  expensive  asym¬ 
metric  cryptographic  operations  such  as  digital  signatures  [72,142],  Instead,  they  rely  on  efficient 
symmetric  cryptography  to  generate,  manage,  and  distribute  cryptographic  quantities  and  exe¬ 
cute  cryptographic  operations,  such  as  encryption/decryption,  authentication,  and  hashing.  We 
also  assume  that  nodes  and  guards  can  be  pre-loaded  with  needed  cryptographic  quantities  before 
deployment. 


System  parameters 

Since  both  guards  and  network  nodes  are  randomly  deployed,  it  is  essential  that  we  appropriately 
choose  the  network  parameters,  namely  the  guard  density  pg  and  the  guard-to-node  communication 
range  R,  for  a  given  deployment  area  A,  so  that  guards  can  communicate  with  nodes. 

The  random  deployment  of  the  network  nodes  and  guards  can  be  modeled  after  a  Spatial 
Homogeneous  Poisson  Point  Process  [71].  The  random  placement  of  a  set  U  of  guards  with  a 
density  pg  =  yy  (|  •  |  denotes  the  cardinality  of  a  set)  is  equivalent  to  a  sequence  of  events  following 
a  homogeneous  Poisson  point  process  of  rate  pg.  Given  that  \U\  events  occur  in  area  A,  these  events 
are  uniformly  distributed  within  that  area.  The  random  deployment  of  a  set  S  of  nodes  with  a 
density  ps  =  is  equivalent  to  a  random  sampling  of  the  deployment  area  with  rate  ps  [71]. 

Based  on  Spatial  Statistics  theory  [71],  if  GHS  denotes  the  set  of  guards  heard  by  a  sensor  s, 
(i.e. ,  being  within  range  R  from  s),  then  the  probability  that  a  node  hears  exactly  k  guards  is  given 

lrThe  unit  disk  graph  model  has  been  used  to  represent  ad  hoc  networks  with  identical  devices  being  deployed  in 
order  to  derive  insightful  theoretical  results  in  diverse  research  topics,  such  as  security  [65,75],  network  connectivity 
[50,76],  routing  [82,99,100],  and  topology  control  [163]. 
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by  the  Poisson  distribution 


P(\GHS  =  k\)  =  e~wR\  (2.4) 

k\ 

Based  on  (2.4),  we  can  compute  the  probability  that  every  node  of  the  network  hears  at  least  one 
guard  as 

P{\GHS\  >  0,  Vs  €  S)  =  (1  -  e-^R2)|S|.  (2.5) 

Using  (2.5),  we  can  determine  the  desired  guard  density  pg  or  guard-to-node  communication  range 
R ,  so  that  each  node  hears  at  least  one  guard  with  a  probability  p, 


Pg  > 


—  ln(l  —  pUT) 
ttR2 


R  > 


\ 


—  ln(l  —  pUT) 
n  Pg 


(2.6) 


Both  inequalities  in  (2.6)  are  independent  from  the  node  density  ps.  Hence,  once  the  deployment 
region  is  sufficiently  covered  by  guards,  nodes  can  be  deployed  as  dense  as  desired  with  P(\GHS\  > 
0,Vs  €  S)  remaining  constant. 


2.3  Local  Broadcast  Keys 

As  we  showed  in  Section  2.1.3,  broadcasted  messages  that  are  destined  only  to  the  local  neighbor¬ 
hood  are  timely  replayed  in  regions  that  are  not  within  the  communication  range  of  the  source  of 
the  messages.  Since  the  replayed  messages  are  both  authentic  and  decryptable  at  the  destination 
point  of  the  attack,  a  wormhole  link  is  established  between  the  nodes  at  the  origin  point  of  the 
attack  and  the  nodes  at  the  destination  point,  as  if  the  nodes  were  one-hop  neighbors.  Hence, 
wormhole  links  violate  the  communication  range  constraint  by  allowing  nodes  that  are  not  within 
communication  range  to  directly  communicate.  In  order  to  prevent  the  establishment  of  wormhole 
links,  we  showed  that  any  candidate  solution  should  construct  a  communication  graph  that  is  a 
subgraph  of  the  geometric  graph  of  the  network. 

A  wormhole  attack  is  successful  when  the  replayed  messages  that  are  destined  only  to  the 
local  neighborhood  are  decryptable  and  can  be  authenticated  outside  that  neighborhood.  Once  the 
attacker  replays  broadcasted  messages  outside  the  local  neighborhood  in  a  timely  manner,  nodes  at 
the  ends  of  the  wormhole  link  are  led  to  believe  that  they  are  one-hop  neighbors.  However,  if  only 
the  nodes  within  a  local  neighborhood  can  decrypt  and/or  authenticate  the  messages  broadcasted 
within  that  neighborhood,  nodes  out  of  communication  range  of  each  other  will  not  conclude  that 
they  are  one-hop  away.  Hence,  the  communication  graph  constructed  by  securely  identifying  the 
one-hop  neighbors  is  a  subgraph  of  the  geometric  graph  of  the  network  and  the  wormhole  attack  is 
eliminated. 

In  order  for  a  broadcast  message  intended  for  one-hop  neighbors  to  be  decryptable  only  by  the 
one-hop  neighbors,  each  node  should  be  able  to  encrypt  broadcast  messages  with  keys  only  known 
to  all  of  its  one- hop  neighbors.  We  call  such  keys  Local  Broadcast  Keys  (LBKs).  Hence,  the  problem 
of  eliminating  wormhole  links  reduces  the  problem  of  allowing  nodes  to  establish  LBKs  with  their 
one-hop  neighbors.  Once  the  LBKs  are  established,  the  resulting  communication  graph  will  be  a 
subgraph  of  the  geometric  graph  of  the  network. 

In  this  section,  we  first  define  local  broadcast  keys  and  constructively  show  that  LBKs  construct 
a  wormhole-free  communication  graph  that  is  a  subgraph  of  the  geometric  graph  of  the  network. 
We  then  present  one  centralized  and  one  decentralized  mechanism  for  establishing  LBKs,  followed 
by  a  probabilistic  analysis  of  the  level  of  security  achieved. 
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2.3.1  Definition  and  Correctness 


Definition  2  -Local  Broadcast  Key-For  a  node  i,  we  define  the  neighborhood  TV,;  as  Ni  =  {j  : 
||i  —  j ||  <  r}.  Given  a  cryptographic  key  K,  let  Uk  denote  the  set  of  nodes  that  hold  key  K.  We 
assign  a  unique  key  Ki  called  Local  Broadcast  Key  LBK  of  i,  to  all  j  £  Nt  so  that  Uk,  =  Ni  and 
Ki  f  Kj .  V?  f  j.  Hence,  by  definition,  all  one-hop  neighbors  of  node  i  possess  the  LBK  of  node  i. 
We  follow  the  convention  that  any  message  from  node  i  to  j  is  encrypted  with  Ki ,  though  either  Ki 
or  Kj  can  be  used  between  nodes  i,j.  Hence,  a  link  between  nodes  i,j  exists  iff  i  £  Nj  or  j  £  Nt. 


Theorem  2  Given  Ki,Ni,  Vi  £  V,  where  V  is  the  set  of  vertices  defined  by  network  nodes,  and  an 
arbitrary  logical  random  graph  G(V,Eq),  the  edge  matrix  Eqi,  defined  by 


eG'(hj) 


1,  if  i  £  Urj  U  j  £  UKi 
0,  if  Else, 


(2.7) 


yields  the  desired  wormhole-free  graph  G' (V,  Eqi),  such  that  Eqi  C  Eq,  where  G(V,r)  is  the  geo¬ 
metric  random  graph  defined  in  (2.1). 


Proof  7  By  the  definition  of  Eqi,  there  exists  a  link  CQi{i,j)  =  1  if  and  only  if  the  two  nodes  hold 
at  least  one  LBK.  But,  according  to  the  definition  of  LBK,  a  node  i  £  U k,  iff  i  £  Nj ,  which  in 
turn  implies  that  i,j  satisfy  (2.1),  which  defines  the  links  of  the  geometric  graph  G(V,r).  Hence, 
eG'(i-,j)  =  1)  iff  IK  —  J ||  <  r,  Eqi  =  Eq  and,  therefore,  G'  =  G.  According  to  theorem  1,  if  a 
transformation  S(G,G )  results  in  a  graph  G'(V,Eqi)  such  that  Eqi  C  Eq,  then  G'  is  a  wormhole- 
free  graph. 

As  a  side  remark,  we  note  that  since  G'  =  G  and  if  G  is  connected,  then  G’  is  also  connected. 
Also,  given  that  LBKs  are  established  for  any  network  nodes,  the  wormhole  attack  can  be  prevented 
even  in  the  absence  of  any  location  information.  The  LBK  solution  reconstructs  the  geometric  graph 
G(V,  r)  by  encrypting  the  information  exchange  and  disclosing  the  decryption  keys  only  to  direct 
neighbors.  However,  the  challenge  of  establishing  LBKs  in  a  network  may  or  may  not  require 
location  information.  In  what  follows,  we  present  two  mechanisms  by  which  we  can  assign  local 
broadcast  keys  to  the  nodes  of  the  network. 


2.3.2  Local  broadcast  key  establishment  mechanisms 
Key  distribution  from  a  central  authority 

Wireless  ad  hoc  networks  have  been  visualized  to  operate  under  both  centralized  and  decentralized 
control  depending  on  the  applications  and  the  services  that  they  provide.  Though  our  research 
mainly  focuses  on  decentralized  systems,  for  completeness,  we  first  show  how  LBKs  can  also  be 
established  in  centralized  systems. 
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Assume  that  a  central  authority  has  a  global  view  of  the  network  topology  (knows  the  location 
of  all  nodes)  and  that  a  security  association  has  been  established  between  every  node  and  the  central 
authority  (every  node  shares  a  pairwise  key  with  the  central  authority).  Similar  assumptions  have 
been  made  in  the  centralized  wormhole  prevention  scheme  presented  in  [166] 2 .  It  is  quite  simple  to 
see  that  the  central  authority  can  construct  the  geometric  graph  G(V,  r )  using  the  location  of  the 
nodes  and  the  communication  range  constraint  r.  Once  the  geometric  graph  G(V,  r )  is  constructed, 
the  central  authority  can  distribute  a  unique  LBK  to  each  node  and  its  one- hop  neighbors,  via  the 
secure  channel  established  based  on  the  security  association  shared  with  each  node.  Once  the  LBKs 
have  been  established,  any  broadcast  encrypted  with  the  LBK  of  a  node  st  can  only  be  decrypted 
by  the  one- hop  neighbors  of  st.  Hence,  using  wormhole  to  replay  messages  at  one  neighborhood 
encrypted  with  the  LBK  of  another  will  not  introduce  any  vulnerability3. 

The  centralized  authority-based  LBK  establishment  mechanism  exhibits  drawbacks  that  are 
commonly  noted  in  any  centralized  solution.  First,  the  central  authority  constitutes  a  single  point 
of  failure.  Second,  in  case  of  a  mobile  ad  hoc  network,  the  base  station  needs  frequent  updates  of 
the  location  of  each  node  in  order  to  maintain  an  up-to-date  geometric  graph  and  update  the  LBKs 
according  to  the  changing  topology.  The  LBK  update  has  to  be  performed  via  unicast  messages 
from  the  base  station  to  every  node  and,  hence,  can  add  prohibitively  high  overhead  for  the  network. 
Finally,  the  centralized  method  requires  knowledge  of  the  entire  network  topology  (location  of  all 
nodes).  A  base  station  can  acquire  the  node  location  if  the  network  is  systematically  deployed, 
or  by  using  a  wormhole-resistant  localization  method  [105,108,113,115,160].  We  now  describe  a 
decentralized  LBK  establishment  mechanism  that  requires  only  a  small  fraction  of  the  nodes  to 
have  knowledge  of  their  location. 


Decentralized  establishment  of  local  broadcast  keys 

We  present  a  three-step  algorithm  to  allow  nodes  to  establish  LBK  in  a  decentralized  manner.  In 
step  one,  every  guard  Gi  broadcasts  fractional  keys  FK{  to  the  network.  Every  node  collects  the 
fractional  keys  from  all  guards  that  it  can  hear.  In  step  two,  every  node  broadcasts  the  Ids  of  the 
fractional  keys  that  it  holds.  If  two  nodes  st ,  Sj  share  more  than  th  fractional  keys,  they  use  all 
common  fractional  keys  to  generate  a  pairwise  key  KSijSj.  In  step  three,  a  node  s  generates  an  LBK 
Ks  and  unicasts  it  to  every  node  that  it  shares  a  pairwise  key  with.  Before  we  describe  the  three 
steps  in  detail,  we  present  the  cryptographic  mechanisms  of  our  decentralized  LBK  scheme. 


Cryptographic  Mechanisms 

Encryption:  To  protect  the  distribution  of  the  fractional  keys,  all  broadcasts  from  the  guards 
are  encrypted  with  a  global  symmetric  key  Kq.  preloaded  before  deployment.  In  addition,  a  node 
s  shares  a  symmetric  pairwise  key  Ks^gi  with  every  guard  gt,  also  preloaded.  Since  the  number 
of  guards  deployed  is  relatively  small,  the  storage  requirement  at  the  node  is  within  the  storage 
constraints  (a  total  of  \U\  keys),  even  for  memory  scarce  nodes.  For  example,  mica  motes  [118] 
have  128Kbytes  of  programmable  flash  memory.  Using  64-bit  RC5  [141]  symmetric  keys  and  for 

2The  authors  in  [166]  assume  that  a  base  station  receives  information  about  the  relative  position  of  each  node  via 

a  channel  secured  with  a  group  key  known  to  all  nodes  and  the  base  station. 

3Since  the  central  authority  can  reconstruct  the  geometric  graph  G(V,  r ),  it  can  also  inform  every  node  about  their 

one-hop  neighbors  via  a  secure  channel  and,  hence,  prevent  the  wormhole  attack. 
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a  network  with  200  guards,  a  total  of  l.GKbytes  of  memory  is  required  to  store  all  the  symmetric 
pairwise  keys  of  the  node  with  all  the  guards. 

In  order  to  save  storage  space  at  the  guard  side  (guards  would  have  to  store  IS)  keys),  the 
pairwise  key  Ks  g.  is  derived  by  a  master  key  Kgi,  using  a  pseudo-random  function  [151]  h  and  the 
unique  node  Ids ,  Ks,gi  =  (Id.s).  Hence,  given  an  Ids ,  a  guard  can  compute  its  pairwise  key 

with  any  node  whenever  needed,  without  having  to  store  any  pairwise  keys. 


Guard  ID  authentication 

The  use  of  a  global  symmetric  key  Kq  does  not  provide  any  authentication  on  the  source  of  the 
message.  Hence,  any  guard  or  node  holding  the  global  key  can  broadcast  fractional  keys  encrypted 
with  K0.  Though  we  have  assumed  that  the  global  symmetric  key  Kq  is  not  compromised  and  that 
network  entities  do  not  operate  maliciously,  in  order  to  allow  nodes  to  authenticate  the  guards 
within  one-hop,  we  provide  a  lightweight  authentication  mechanism4.  Our  scheme  is  based  on 
efficient  one-way  hash  chains  [103],  that  have  also  been  used  extensively  in  broadcast  authentication 
protocols  [131,133]. 

Each  guard  g*  is  assigned  a  unique  password  PWi.  The  password  is  blinded  with  the  use  of 
a  collision-resistant  hash  function  such  as  SHA-1  [151].  Due  to  the  collision  resistance  prop¬ 
erty,  it  is  computationally  infeasible  for  an  attacker  to  find  a  value  PW such  that  H(PWi)  = 
H(PW'),  PWi  /  PW[.  The  hash  sequence  is  generated  using  the  following  equation: 

H°  =  PWi,  Hq  =  H(Hq~1),  *  =  1,  •••,«, 

with  n  being  a  large  number  and  H°  never  revealed  to  any  node.  In  addition,  due  to  the  one-way 
property  of  the  hash  chain,  it  is  computationally  infeasible  for  an  adversary  to  derive  values  of 
the  hash  chain  that  have  not  been  already  published  by  the  guard  [103].  Each  node  is  preloaded 
with  a  table  containing  the  Id  of  each  guard  and  the  corresponding  hash  value  Hn(PWi).  For  a 
network  with  200  guards,  we  need  8  bits  to  represent  node  Ids.  In  addition,  hash  functions  such 
as  SHA-1  [151]  have  a  128-bit  output.  Hence,  the  storage  requirement  of  the  hash  table  at  any 
node  is  only  3.4Kbytes.  To  reduce  the  storage  needed  at  the  guard  side,  we  employ  an  efficient 
storage/computation  method  for  hash  chains  of  time/storage  complexity  0(log2(n))  and  compute 
any  hash  chain  values  when  needed  [69]. 


Steps  of  the  key  establishment  scheme 

Step  1:  Initially,  every  guard  gi  generates  a  random  fractional  key  FKi.  Guards  broadcast  their 
fractional  keys  encrypted  with  the  global  symmetric  key  Kq.  Every  broadcast  message  also 
contains  the  coordinates  (Xi,Yi)  of  the  transmitting  guard,  the  next  hash  value  in  the  hash 
chain  that  has  not  been  published,  Hn~q(PWi ),  and  the  hash  chain  index  q.  The  broadcast 
message  format  is 

Guard  9i  :  {  FKt  ||  (X,,^)  ||  Hn~q(PWi )  ||  q  }x0,  (2.8) 

where  { Al 1 1  A? } ^  denotes  concatenation  of  A,  B  and  encryption  with  key  K. 

Every  node  collects  the  fractional  keys  from  all  the  guards  that  it  can  hear  and  verifies  that 
H (Hn~q (PWi))  =  Hn~q+1  (PWi) .  If  a  node  has  not  received  some  intermediate  values  of  the 

4The  guard  authentication  mechanism  provides  a  basis  for  the  future  enhancement  of  the  system  against  other 
type  of  attacks,  such  as  the  Sybil  attack  [74, 124]. 
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hash  chain  due  to  packet  loss,  it  can  use  the  hash  index  q  to  re-synchronize  to  the  current 
published  hash  value.  Assume  that  the  latest  hash  value  of  the  chain  of  guard  stored  by  a 
node  s  is  Hn~z(PWt),  with  z  <  q.  Node  s  can  re-synchronize  with  the  hash  chain  of  guard  g* 
upon  receipt  of  the  hash  value  Hn~q(PWi)  by  applying  (q  —  z )  consecutive  hash  operations 
to  Hn~z(PWi). 

For  all  received  messages  for  which  the  verification  of  the  hash  is  correct,  the  node  stores  the 
fractional  keys  FK^ ,  the  coordinates  of  each  guard  (Aj,  Yi),  the  latest  published  hash  values  of 
the  chain,  H(Hn~q(PWi )),  and  the  hash  index  m.  In  figure  2.4(a),  guards  g\  ~  g$  broadcast 
their  fractional  keys  FI\i  encrypted  with  the  global  broadcast  key  Kq.  Nodes  si  ~  sj  decrypt 
the  message  with  the  key  Kq,  and  verify  the  authenticity  of  the  broadcasting  guards. 

Step  2  :  Once  the  nodes  have  collected  the  fractional  keys  from  all  the  guards  that  they  hear, 
they  broadcast  a  message  indicating  the  identities  of  the  fractional  keys  that  they  hold  and 
a  node  specific  threshold  value,  encrypted  with  the  global  symmetric  key  Kq.  Since  every 
node  is  aware  of  the  correspondence  between  the  fractional  keys  that  it  has  acquired  and  the 
identities  of  the  guards  that  provided  the  fractional  keys,  the  nodes  need  only  broadcast  the 
identities  of  the  guards  that  they  heard,  in  order  to  indicate  which  fractional  keys  they  hold. 
The  identities  of  the  guards  uniquely  define  the  identities  of  the  fractional  keys  broadcasted 
by  those  guards5. 

If  two  neighbor  nodes  si,S2  have  in  common  fractional  keys  {FK\,  FK2,  ■  ■  ■  FKm}  with 
m  above  a  threshold  th ,  they  individually  generate  a  pairwise  key,  K31tS2=H  (F  Ki\\F  K2W 
...  || FKm),  where  if  is  a  collision-resistant  hash  function  [103].  A  node  si  can  verify  the 
claim  of  another  node  S2  about  holding  a  specific  set  of  keys  by  challenging  the  claimant 
node.  If  node  S2  claims  to  hold  a  set  of  keys  {FK1WFK2W  ■■■  || FKm},  it  should  be  able 
to  generate  the  key  KSl,s2-  To  verify  such  a  claim,  the  verifying  node  si  first  broadcasts  a 
nonce,  encrypted  with  the  key  KS1^S2  generated  from  the  fractional  keys  corresponding  to  the 
guard  Ids  transmitted  by  the  claimant  node  S2-  If  the  claimant  node  S2  indeed  holds  the  keys 
{FK\ \\FK2 1|  •  •  •  || FI\m},  it  will  be  able  to  generate  the  same  pairwise  key  KsltS2,  decrypt  the 
nonce,  and  reply  to  the  verifying  node. 

For  example,  if  node  si  is  the  verifying  node  and  S2  is  the  claimant  node,  si  encrypts  a  nonce 
i~li  with  KSl,s2  and  challenges  node  S2  to  reply  with  J(r/i),  where  J(x )  is  a  simple  function, 
such  as  J(x)  =  x  —  1.  If  node  S2  were  to  really  hold  the  fractional  keys  that  it  advertised, 
it  would  generate  the  pairwise  key  KSl:S2,  and  hence,  will  be  able  to  decrypt  the  nonce  and 
reply  with  J(r]i),  encrypted  with  Ksi,s2 ■  The  message  exchange  occurring  between  si  and  S2 
in  Step  2  is 

«i  :  {m }ks1:S2  Si  ^  s2  :  {  J{vi)}ks1,S2  ■ 

Note  that  we  require  that  the  claimant  node  replies  to  the  challenge  ij±  with  J(rji)  rather 
than  the  nonce  itself  in  order  to  prevent  an  adversary  from  replaying  the  challenge  message 
as  a  valid  response. 

In  figure  2.4(c),  the  threshold  value  is  set  to  th  =  3.  Node  si  establishes  a  pairwise  key  with 
all  its  neighbors  that  have  at  least  three  fractional  keys  in  common.  Note  that  si  does  not 
share  sufficient  fractional  keys  with  S6  and  s 7  in  order  to  establish  a  pairwise  key.  Hence, 
even  in  the  presence  of  a  wormhole  link  between  si  and  sq  or  s 7,  non-neighboring  nodes  will 
not  be  able  to  establish  a  pairwise  key. 

Step  3  :  After  pairwise  keys  have  been  established  with  one-hop  neighbors,  node  s*  randomly 
generates  an  LBK  KSi  and  unicasts  it  to  every  neighbor,  encrypted  with  the  pairwise  key 
KSi,sj  ■  Node  Si  stores  its  LBK  KSu  used  for  encrypting  its  own  messages,  and  also  stores  the 

5Note  that  two  guards  may  individually  generate  the  same  FK,  but  given  a  guard  Id,  the  FK  is  unique 
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Figure  2.4:  (a)  Guards  g\  ~  g$  broadcast  fractional  keys  FK\  ~  FK$  encrypted  with  the  global  broadcast  key  A'o. 
The  location  of  the  guards  and  the  hash  chain  value  is  also  included  in  every  broadcast,  (b)  Nodes  announce  the  Id’s 
of  the  fractional  keys  that  they  hold,  (c)  Neighbor  nodes  that  have  in  common  at  least  three  fractional  keys  ( th  =  3) 
establish  a  pairwise  key.  Node  si  has  at  least  three  common  fractional  keys  with  all  nodes  within  one  hop.  (d)  Node 
si  establishes  a  broadcast  key  KS1  with  every  one  hop  neighbor  and  uses  it  to  broadcast  a  message  m  encrypted  with 


LBKs  of  all  its  one-hop  neighbors  that  it  shares  sufficient  fractional  keys  with,  in  order  to 
decrypt  their  broadcast  messages.  We  assume  that  KSi  /  KSj,  Vsi  /  Sj.  In  figure  2.4(d),  si 
has  established  a  LBK  KS1  with  its  neighbors  si  ~  S5  and  uses  it  to  encrypt  the  transmission 
of  message  m. 

Before  we  present  our  decentralized  local  broadcast  key  establishment  scheme  in  algorithmic 
form,  we  analyze  the  critical  problem  of  allowing  nodes  to  determine  the  threshold  value  for  estab¬ 
lishing  pairwise  keys  with  their  immediate  neighbors. 

2.3.3  Setting  the  threshold  for  key  establishment 

In  this  section,  we  examine  how  the  value  of  the  threshold  th  affects  the  probability  of  sharing 
more  than  th  fractional  keys  with  immediate  and  non-immediate  neighbors.  We  then  propose 
mechanisms  to  increase  the  connectivity  with  one-hop  neighbors  while  decreasing  the  probability 
of  non-immediate  neighbors  to  share  more  than  th  fractional  keys. 
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Probability  of  establishing  a  key  with  all  one-hop  neighbors 


(a) 


(b) 


Figure  2.5:  (a)  Nodes  si,  S2  are  within  communication  range  ( l  <  r).  All  guards  located  in  the  area  Ac  are  heard  to 

both  nodes  s  1,  S2-  (b)  A  lower  bound  on  Piocai  for  varying  guard  densities  pg  and  for  a  node  density  p3  =  0.5,  when 

£  =  10. 
r 


Key  establishment  with  immediate  neighbors 

Let  the  distance  between  two  nodes  si,S2  be  l  =  ||si  —  S2 1| ,  as  in  figure  2.5(a).  Any  guard  gi  that 
lies  within  the  shaded  area  Ac  is  heard  by  both  nodes  si,S2  and  hence,  its  fractional  key  FKi  is 
received  by  both  si,  S2-  From  figure  2.5(a),  we  can  compute  the  area  Ac  as  follows 

0  =  cos-1  — ,  Ac  =  2B?(f)  —  Rl  sin  <f>.  (2-9) 

2  R 

If  GHAc  denotes  the  set  of  guards  located  within  Ac,  the  probability  Pkey  for  two  nodes  that  are 
at  a  distance  l  <  r  to  establish  a  pairwise  key  is  equal  to  the  probability  that  more  than  th  guards 
are  located  in  Ac. 


Pkey  =  P(\GHAc\  >th)  =  1  -  P(\GHAc\  <  th) 


th—  1 


i-E 


i=o  L 


(PgAc)  e-PgAc 


(2.10) 


From  (2.10),  we  compute  the  probability  PiOCai  for  a  node  to  be  connected  to  all  the  nodes  within 
its  neighborhood.  Let  P(NS  =  i )  denote  the  probability  for  a  node  s  to  have  i  neighbors.  Since 
neighbors’  nodes  can  be  located  at  any  distance  0  <  l  <  r  from  node  s,  we  can  derive  a  lower 
bound  on  Piocai  by  considering  the  worst  case  where  every  neighbor  is  located  at  the  circle  of 
radius  r  centered  at  the  node  s.  Assuming  that  every  one-hop  neighbor  is  at  the  boundary  of  the 
communication  range  yields  the  worst  case  for  Piocai ,  since  Ac  attains  its  minimum  value  for  l  =  r, 
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and,  hence,  the  probability  of  finding  th  guards  in  Ac  becomes  the  smallest.  PiOCai  is  expressed  as 


\s\ 

Piocai  —  ^P{Ns  =  i,\GHAc\>th,Vi) 

?=o 

\S\ 

>  '^,P(Ns  =  i)P(\GHAc\  >  th,\H) 

i= 0 

|S| 

>  X]  P(Ns  =  l)PLy 

>  E(^e— )(x-E 

i=0  \  /  \  j= 0 


j! 


(2.11) 

(2.12) 

(2.13) 

(2.14) 


with  Ac  given  by  (2.9)  for  l  =  r.  In  the  computation  of  PiOCah  (2-12)  follows  from  the  fact  that 
nodes  are  independently  deployed  from  guards,  (2.13)  follows  from  the  randomness  in  the  guard 
deployment  (finding  GHac  guards  in  an  area  Ac  is  independent  on  where  Ac  is  located),  and  (2.14) 
follows  from  (2.10). 

Given  parameters  r,  ps,  we  can  select  the  threshold  th  and  the  parameters  R,  pg,  so  that 
the  probability  PiOCai  is  close  to  unity  (i.e.,  nodes  establish  pairwise  keys  with  almost  all  their 
neighbors).  In  figure  2.5(b),  we  show  the  lower  bound  on  Piocai  vs.  th,  for  varying  guard  densities 
pg  and  for  a  node  density  ps  =  0.5,  when  P  =  10. 

From  (2.14),  we  can  select  the  threshold  th  such  that  Piocai  is  very  close  to  unity.  For  example, 
for  pg  =  0.03,  setting  the  threshold  to  th  <  15  will  allow  one-hop  neighbors  to  share  more  than  th 
fractional  keys  with  a  probability  very  close  to  unity.  However,  if  we  choose  a  low  threshold  value, 
neighbors  more  than  one-hop  away  will  also  have  in  common  more  than  th  fractional  keys.  Hence, 
an  adversary  can  establish  a  wormhole  link  between  nodes  more  than  one-hop  away.  In  the  next 
section,  we  examine  the  statistics  on  establishing  keys  between  non-immediate  neighbors. 


Avoiding  key  establishment  with  non-immediate  neighbors 

To  satisfy  the  definition  of  LBKs,  nodes  more  than  one  hop  away  must  not  have  more  than  th 
fractional  keys  in  common.  In  figure  2.6(a),  we  show  the  probability  Pkey(l)  of  two  nodes  to  share 
more  than  th  fractional  keys  depending  on  the  distance  l  between  them,  as  expressed  by  (2.10). 

From  figure  2.6(a),  we  observe  that  the  value  of  the  node-to-node  communication  range  r  is 
critical  for  the  selection  of  the  threshold.  For  example,  if  we  set  r  =  10m.  and  th  =  5,  two  nodes 
within  communication  range  (l  <  10m)  establish  a  pairwise  key  with  a  probability  almost  unity. 
Two-hop  neighbors  located  at  a  distance  l  =  2 r  from  a  node  s  have  a  Pkey  =  0.43  to  share  more 
than  th  =  5  fractional  keys.  Such  a  probability  value  is  prohibitively  high.  In  order  to  reduce  the 
Pkey  for  non-immediate  neighbors,  we  examine  the  reasons  why  Pkey  is  high  for  distances  l  >  r  and 
propose  remedies  to  avoid  key  establishment  between  non-immediate  neighbors. 

Problem  1:  In  our  analysis  in  Section  2.3.3,  we  have  considered  the  threshold  to  be  a  global 
variable,  the  same  for  all  deployed  nodes.  However,  in  a  random  deployment,  not  all  nodes  hear 
the  same  number  of  guards.  Hence,  for  some  nodes,  the  threshold  value  is  too  high  to  allow  them 
to  connect  to  their  immediate  neighbors,  while  for  other  nodes,  the  threshold  value  is  too  low  to 
isolate  non-immediate  neighbors.  To  avoid  the  shortcomings  of  selecting  a  global  threshold  for  all 
nodes,  we  propose  each  node  to  select  its  own  threshold,  based  on  number  of  guards  heard  at  each 
node. 
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Probability  of  establishing  a  key  between  two  nodes 


(a) 


(b) 


Figure  2.6:  (a)  Pkey  for  varying  threshold  values  when  pg  =  0.03.  (b)  Nodes  si,  S2  hear  guards  gi  ~  gz.  An  adversary 
replays  the  fractional  key  Id  broadcast  information  of  si  at  point  s 2,  and  the  fractional  key  Id  broadcast  information 
of  S2  at  point  si.  If  the  threshold  is  set  to  th  =  3,  sensors  si  and  S2  are  led  to  believe  they  are  one  hop  away,  establish 
a  pairwise  key  and  communicate  through  the  wormhole  link. 


Problem  2:  The  use  of  omnidirectional  antennas  can  increase  the  number  of  non-immediate 
neighbors  vulnerable  to  the  wormhole  attack  under  the  following  scenario.  Consider  figure  2.6(b), 
where  nodes  si,  S2  are  not  within  communication  range.  Due  to  the  omnidirectionality  of  the  guard 
antennas,  both  si,  s 2  are  able  to  hear  the  same  set  of  guards  {g\ ,  <72 5  ^3 }  and,  hence,  acquire  the  same 
set  of  fractional  keys  {FK 1,  FK2-,FK^\.  In  Step  2  of  our  decentralized  LBK  establishment  scheme, 
the  two  nodes  broadcast  the  Ids  of  the  fractional  keys  that  they  hold,  indicating  the  guards  that 
they  hear.  Since  the  two  nodes  are  not  within  communication  range,  in  the  absence  of  a  wormhole 
they  would  not  be  able  to  establish  an  LBK.  However,  consider  an  adversary  mounting  wormhole 
attack  that  records  the  fractional  key  Ids  broadcast  information  of  si,  tunnels  it  via  the  wormhole 
link  to  S2,  and  replays  it.  Similarly,  the  adversary  records  the  fractional  key  Id  broadcast  of  S2, 
tunnels  it  at  si  and  replays  it.  If  the  threshold  for  establishing  communication  is  set  to  th  =  3, 
s  1 ,  s 2  will  establish  a  pairwise  key  KSltS2,  assuming  that  they  are  one  hop  away. 

To  account  for  the  lack  of  direction  in  the  distribution  of  the  fractional  keys  at  the  expense  of 
increased  hardware  complexity,  guards  may  be  equipped  with  M  directional  antennas  of  beamwidth 
each.  Guards  transmit  different  fractional  keys  at  each  antenna  sector  and,  hence,  two  nodes 
need  to  hear  the  same  antenna  sectors  of  the  same  guards  in  order  to  acquire  common  fractional 
keys. 


Local  threshold  computation 

In  the  previous  section,  we  argued  that  setting  the  threshold  globally  can  prohibit  some  immediate 
neighbors  from  establishing  pairwise  keys  and  allow  some  non-immediate  neighbors  to  share  more 
than  th  fractional  keys.  Hence,  it  is  preferable  that  each  node  locally  computes  the  threshold  th 
based  on  the  number  of  guards  that  it  hears. 

Assume  that  a  sensor  si  can  hear  \GF[Sl  \  guards  and  wants  to  establish  a  pairwise  key  with 
node  S2  located  at  distance  l  <  r  from  si,  as  in  figure  2.5(a).  The  probability  that  si,S2  hear  th 
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Figure  2.7:  (a)  Pkey  for  a  varying  threshold  value  equal  to  th  =  |G-ffsl|  —  3.  (b)  Use  of  directional  antennas  for  the 
distribution  of  fractional  keys. 


common  guards,  given  that  \GHSl\  guards  are  heard  by  si,  is  equivalent  to  the  probability  that 
th  guards  are  located  within  Ac,  given  that  \GHS1\  of  them  are  located  within  the  area  inside  the 
circle  of  radius  R  centered  at  si-  Due  to  the  random  guard  deployment,  if  GHSl  guards  are  located 
within  a  specific  region,  those  guards  are  uniformly  distributed  [71].  Hence,  if  a  single  guard  is 
deployed  within  the  communication  area  of  a  node  irR2,  the  probability  for  that  guard  to  be  within 
Ac  is  pg  =  Since  we  assume  random  guard  deployment,  the  event  of  a  guard  g%  being  within 
Ac  is  independent  of  the  event  of  guard  gj  being  within  Ac.  Hence,  the  probability  that  more  than 
th  guards  are  deployed  within  Ac,  given  that  a  total  of  \GHSl\  are  deployed  within  irR2  is, 


Pk 


ey 


P{\GHAc\>th\  \GHS1 1  =  k) 


k—th  /  ,  \ 

/  k  \  A  th+i  A 

r  ^  (l-AAl-y 

^  \th  +  ij  7 tR2  nR2 


(2.15) 


Note  that  the  binomial  in  (2.15)  cannot  be  approximated  by  a  Poisson  distribution  since  k  may 
not  be  much  bigger  than  one  and  Ac  has  a  comparable  size  to  ttR2.  In  figure  2.7(a),  we  show  the 
Pkey ,  for  different  values  of  guards  heard  \GHSl\  and  different  distances  between  si,S2,  when  the 
threshold  is  set  to  th  =  \GHS1  |  —  3.  The  selection  of  th  =  \GHS\  —  3  serves  as  an  example  to  illustrate 
the  idea  of  the  locally  computed  threshold.  In  Section  1.8,  we  will  provide  extensive  simulation 
studies  for  the  selection  of  th. 

Using  (2.15),  each  node  st  can  determine  the  threshold  thSi  individually  depending  on  the 
number  of  guards  that  it  hears.  For  example,  if  node  s*  has  a  threshold  of  thSi  and  node  Sj  has 
announced  that  it  holds  at  least  thSi  fractional  keys  known  to  Sj,  node  Sj  will  challenge  Sj  with  a 
nonce  rji  and  sj  will  reply  with  J(r/j)  encrypted  with  KSuSj.  However,  node  Sj  may  hear  a  different 
number  of  guards  and,  hence,  decide  upon  a  different  threshold  value  thSj .  In  such  a  case,  Sj  will 
repeat  the  pairwise  key  establishment  process  in  order  to  agree  on  an  additional  pairwise  key  with 
node  Si .  It  is  also  possible  that  min  (thSi ,  thSj )  <  \f](IDSi,  IDSj)\  <  max  (t,hSj ,  thSj )  and,  hence, 
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only  unidirectional  secure  communication  can  be  established  between  two  one-hop  neighbors.  To 
establish  only  bi-directional  links  between  one-hop  neighbors,  we  can  modify  the  pairwise  key 
establishment  condition  by  selecting  a  common  threshold  value  thSitSj  at  both  engaging  nodes.  To 
achieve  maximum  network  connectivity,  nodes,  st ,  Sj  can  set  the  common  threshold  value  thSiiSj 
equal  to  the  minimum  of  the  two  individual  thresholds,  thSi,thSj.  However,  in  such  a  case,  the 
probability  of  establishing  a  wormhole  with  a  non-immediate  neighbor  grows  larger  for  the  node 
with  the  higher  threshold.  To  tradeoff  connectivity  for  protection  against  wormholes,  nodes  Si,Sj 
can  set  the  threshold  value  ths.  s.  equal  to  the  maximum  of  the  two  individual  thresholds,  thSi,thSj. 
Two  nodes  s*,  Sj  establish  a  pairwise  key  according  to  the  following  rule 


K„ 


H  (FKi,  FK2, . . .  FKm) ,  if  m 

0, 


f|  (■ IDSi,IDSj )  I  >  ma x{thSi,thSj} 
otherwise. 


(2.16) 


The  algorithm  in  figure  2.8  summarizes  our  decentralized  local  broadcast  key  establishment  scheme. 
In  the  local  threshold  computation,  each  node  individually  determines  its  own  threshold  (a  parame¬ 
ter  directly  related  to  the  success  in  preventing  wormholes)  based  on  the  number  of  guards  it  hears. 
However,  during  the  wormhole  attack,  a  node  may  hear  a  much  higher  number  of  guards  compared 
to  its  neighbors.  In  such  a  case,  the  node  under  attack  can  be  misled  to  compute  a  threshold  value 
that  cannot  be  met  by  any  of  its  one-hop  neighbors  and,  hence,  be  disconnected  from  the  rest  of  the 
network.  To  address  this  problem,  using  our  method,  the  node  first  detects  if  it  is  under  wormhole 
attack.  If  a  wormhole  is  detected,  the  node  uses  a  mechanism  called  Closest  Guard  Algorithm 
(CGA)  described  in  Section  2.4.3  to  separate  the  one-hop  guards  from  the  replayed  ones.  Once  the 
one-hop  guards  have  been  determined,  the  node  selects  the  threshold  value  based  on  the  guards 
that  are  directly  heard. 


Key  establishment  using  directional  antennas. 

In  figure  2.6(b),  we  showed  how  the  omnidirectionality  of  the  guards’  antennas  allows  non-immediate 
neighbors  to  have  more  than  th  fractional  keys  in  common.  In  order  to  avoid  the  distribution  of 
the  same  fractional  keys  to  nodes  located  more  than  one-hop  away,  guards  may  be  equipped  with 
directional  antennas. 

Each  guard  has  M  directional  antennas  with  sectors  being  wide.  At  each  sector,  guards 
transmit  different  fractional  keys.  However,  guards  include  the  same  hash  value  of  the  hash  chain 
to  all  M  messages  transmitted  at  the  different  antenna  sectors.  The  use  of  the  same  hash  value  in 
all  sectors  for  every  periodic  transmission  of  fractional  keys  will  not  allow  an  attacker  to  replay  a 
message  heard  at  another  antenna  sector.  If  a  node  s  hears  sector  j  of  a  guard  gi  and  an  attacker 
replays  to  s  a  message  transmitted  at  sector  k  of  gi,  node  s  will  have  already  received  the  latest 
published  hash  value  of  the  hash  chain  via  the  directly  heard  sector  j  and  will  not  authenticate  the 
replay  of  the  sector  k. 

In  figure  2.7(b),  we  show  the  same  network  as  in  figure  2.6(b)  with  each  guard  using  three 
directional  antennas  of  beamwidth  e? .  Although  nodes  si,S2  hear  the  same  guards  g\  ~  <73,  since 
they  are  located  in  different  directions,  they  acquire  different  fractional  keys.  Hence,  si,S2  do  not 
share  sufficient  number  of  fractional  keys  for  the  establishment  of  a  pairwise  key,  even  if  an  attacker 
mounts  a  wormhole  link  between  si,  S2- 


Communication  cost  of  the  decentralized  key  establishment  scheme 

In  this  section,  we  compute  the  communication  cost  of  the  decentralized  LBK  establishment  scheme 
in  terms  of  number  of  messages  that  are  transmitted  in  the  whole  network  as  well  as  the  number  of 
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Decentralized  local  broadcast  key  establishment  scheme 


U  =  {Set  of  guards},  S  =  {Set  of  nodes} 

U  :  Broadcast  {FKi\\{Xi,Yi)\\Hn-<i(PWi)\\q}K0. 

S  :  Verify  H(Hn~q(PWi))  =  Hn~q+1  (PW») ,  V  9i  £  GHS. 

S  :  Broadcast  IDSi  =  {Idgi\\Idg2\\  . . .  \\IDgm  \\thSi}Ko,  where  m  =  \GHS\. 
for  all  Si  £  S 

for  all  IDS  heard  by  s* 

if  |  f](IDSi,IDSj)\  >  thauSj ,  Generate:  Kaua.  =  H(FK1\\FK2\\  .  ■  ■  \\FKm ) 
Si-  {n i}KSi,Sj  ->  Sj  Sj  :  {J(m)}KSi,Sj  ->  Si 
if  J(r}i )  valid  — »•  U  {sj}  end  if 

end  if 
end  for 
end  for 
for  all  Si  £  S 

for  all  Sj  £  NSi 

Send  Si  :  {KSi}Ks,  s. 
end  for 
end  for 


messages  transmitfMmMdiSf/Bf  ^af^^toM^meacons  containing 

the  fractional  keys.  If  U  denotes  the  set  of  guards  deployed  in  the  network,  the  cost  of  Step  1  is 
equal  to  \U\,  where  |  •  |  denotes  the  cardinality  of  the  set. 

In  Step  2,  every  node  broadcasts  the  identities  of  the  guards  that  it  heard.  If  S  denotes  the 
set  of  nodes  deployed  in  the  network,  the  number  of  broadcasts  is  equal  to  |S|.  Once  the  fractional 
keys  have  been  broadcasted,  each  node  establishes  pairwise  keys  with  all  their  one-hop  neighbors. 
The  challenge  response  scheme  executed  for  the  establishment  of  the  pairwise  keys  requires  the 
exchange  of  two  messages  with  each  one-hop  neighbor,  and  every  node  has,  on  average,  ps vrr2 
neighbors.  Hence,  the  communication  cost  of  the  challenge  response  scheme  is  equal  to  2|S'|ps7rr2. 

In  Step  3,  every  node  unicasts  the  LBK  to  all  its  one-hop  neighbors.  The  cost  of  this  step  is 
equal  to  \S\ps7rr2  messages.  Adding  the  cost  of  all  three  steps  yields  a  network-wide  communication 
cost  C  for  the  decentralized  key  establishment  scheme  equal  to 

C  =\U\  +  \S\+3\S\psirr2.  (2.17) 

The  communication  cost  Cg  for  each  guard  g  is  equal  to  one  message  per  LBK  establishment 
(guards  may  periodically  broadcast  new  fractional  keys  to  update  the  current  LBKs  or  accommodate 
changes  in  the  network  topology).  The  communication  cost  Cs  for  each  node  s  is  computed  as 
follows:  each  node  broadcasts  one  message  to  announce  the  fractional  keys  that  it  holds.  In 
addition,  each  node  s  exchanges  one  message  with  each  one-hop  neighbor  in  order  to  establish  a 
pairwise  key  when  it  initiates  the  key  establishment,  and  one  message  when  the  key  establishment 
is  initiated  by  the  one-hop  neighbors.  Finally,  each  node  s  needs  to  unicast  its  LBK  to  each  of  its 
one-hop  neighbors,  thus  the  communication  cost  for  each  node  is  Cs  =  3psirr2  +  1. 

Note  that  the  network-wide  communication  cost  C  and  the  individual  node  communication  cost 
have  been  calculated  based  on  the  assumption  that  two  pairwise  keys  are  established  between  one- 
hop  neighbors.  If  only  one  key  is  established  according  to  (2.16),  the  network-wide  communication 
cost  reduces  to  C  =  \U\  +  |5|  +  2\S\psirr2,  and  the  individual  node  communication  cost  reduces  to 
Cs  =  2psTrr 2  +  1. 
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Figure  2.9:  A  wormhole  attack  scenario.  Node  si  hears  broadcasts  from  guard  set  GHai  =  {gi, . . . ,  <75}  and  node 
s 2  hears  broadcast  from  guard  set  GHS2  =  {<76,  ■  ■  • ,  flio},  with  GHai  (")  GHS2  =  0.  An  attacker  replays  messages  from 
GHai  in  the  vicinity  of  S2  and  messages  from  GH„2  in  the  vicinity  of  si.  Nodes  si,S2  have  \GHai  (JG/fS2|  >  th 
fractional  keys  in  common  and  hence  establish  pairwise  key  K31}32. 


In  the  case  where  the  guards  are  equipped  with  directional  antennas,  they  transmit  a  different 
fractional  key  at  each  antenna  sector.  Hence,  each  guard  needs  to  transmit  Cg  =  M  messages 
per  LBK  establishment,  where  M  denotes  the  number  of  antenna  sectors  at  each  guard.  While 
the  node  communication  cost  Cs  does  not  change,  the  network-wide  communication  for  the  case  of 
guards  equipped  with  directional  antennas  becomes  C  =  M\U\  +  (S'!  +  2\S\psTrr2. 


2.4  Securing  the  Broadcast  of  Fractional  Keys 

The  LBKs  prevent  wormhole  attacks  once  they  have  been  established.  However,  we  need  to  ensure 
that  an  adversary  does  not  mount  a  wormhole  attack  during  the  broadcasting  of  the  fractional  keys. 
In  this  section,  we  provide  mechanisms  to  secure  the  fractional  key  distribution  from  wormholes. 

2.4.1  Wormhole  attack  against  the  fractional  key  distribution 

We  first  show  how  an  adversary  can  successfully  operate  a  wormhole  link  between  two  nodes  that 
are  out  of  communication  range  by  exploiting  the  fractional  key  distribution  mechanism.  Recalling 
that  R(>  r )  is  the  range  of  the  guard,  consider  figure  2.9,  where  an  adversary  establishes  a  bi¬ 
directional  wormhole  link  between  nodes  si,  S2,  with  sq ,  S2  being  several  hops  away.  In  step  1  of  the 
decentralized  LBK  establishment  scheme,  guards  broadcast  their  fractional  keys.  The  adversary 
records  all  messages  heard  by  si,S2  and  replays  the  messages  heard  by  si  in  the  vicinity  of  node 
S2,  and  messages  heard  by  S2  in  the  vicinity  of  .sq .  After  the  replay,  nodes  si,S2  have  a  common 
set  of  fractional  keys  of  size  \GHS1  (J  GHS2\.  Independent  of  the  threshold  value  selected,  si,  S2  will 
share  more  than  th  fractional  keys  since  they  hear  exactly  the  same  sets  of  guards. 

In  step  two  of  the  LBK  establishment  scheme,  the  nodes  si,S2  will  broadcast  the  Ids  of  the 
fractional  keys  that  they  hold.  The  adversary  will  forward  those  messages  to  both  nodes,  and  since 
3 1 ,  S2  share  more  than  th  fractional  keys,  they  establish  a  pairwise  key  through  the  wormhole  link. 
Once  the  pairwise  key  is  established,  the  two  nodes  will  also  share  LBKs  and  the  wormhole  link 
will  be  in  operation. 
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2.4.2  Detection  of  the  wormhole  attack 

We  now  show  how  a  node  can  detect  a  wormhole  attack  during  the  broadcast  of  the  fractional  keys 
using  two  properties:  The  single  message  per  guard/sector  property  and  the  communication  range 
constraint  property. 


Single  message  per  guard/sector  property 

Lemma  3  Single  message  per  guard/sector  property:  Reception  of  multiple  copies  of  an  identical 
message  from  the  same  guard  is  due  to  replay  or  multipath  effects. 

Proof  8  Proof  of  Lemma  3  is  the  same  as  the  proof  of  Lemma  1. 

Based  on  proposition  3,  we  can  detect  wormhole  attacks,  in  case  the  origin  point  of  the  attack 
is  close  to  the  nodes  under  attack  so  that  the  attacker  records  transmissions  from  guards  that  are 
directly  heard  to  the  nodes  under  attack.  Assume  that  guards  use  omnidirectional  antennas  for 
the  transmission  of  the  fractional  keys.  If  an  attacker  replays  a  transmission  of  a  guard  g,  that 
is  directly  heard  to  node  s,  the  node  can  detect  the  attack  since  it  will  have  received  the  same 
fractional  key  through  the  direct  link  at  an  earlier  time. 

If  the  guards  use  directional  antennas  and  the  attacker  replays  messages  from  guards  directly 
heard  to  the  node  under  attack  but  from  a  different  sector,  the  attacked  node  will  detect  that 
it  is  infeasible  to  hear  two  sectors  of  a  single  guard.  Moreover,  the  hash  values  being  identical 
for  all  sectors  per  transmission,  the  replay  will  be  detected.  Since  the  direct  signal  from  g,  will 
reach  s  earlier  than  any  replay,  assuming  that  the  guard  transmits  in  all  sectors  simultaneously.  In 
addition,  the  node  will  acquire  the  latest  published  value  of  the  hash  chain  of  gt  through  the  direct 
link.  Hence,  any  replay  containing  an  already  published  hash  value  will  not  be  authenticated.  Note 
that  in  the  case  of  directional  antennas  a  node  can  hear  two  different  sectors  if  it  located  at  the 
boundary  between  two  sector  regions  due  to  imperfect  sectorization  or  due  to  multipath  effects. 
We  also  treat  imperfect  sectorization  as  a  replay  attack,  and  a  node  accepts  the  earliest  received 
message  as  the  authentic  one. 

Proposition  4  The  detection  probability  P(SG )  due  to  the  single  message  per  guard/sector  prop¬ 
erty  is  equal  to  the  probability  that  at  least  one  guard  lies  within  an  area  of  size  Ac  and  is  given 
by 

P(SG)  =  1  —  e~pgAc,  with  Ac  =  2R2(f>  —  Rl  sin  <f>,  f  =  cos-1  (2-18) 

2rt 

with  l  being  the  distance  between  the  origin  and  the  destination. 

Proof  9  The  proof  of  Proposition  4  is  the  same  as  the  proof  of  Proposition  1 

In  figure  1.6(a),  we  show  the  detection  probability  P(SG)  vs.  the  guard  density  pg  and  the 
distance  ||s  —  O ||  between  the  origin  point  and  the  node  under  attack,  normalized  over  R,  for 
-p  =  10.  We  observe  that  if  ||s  —  0\\  >  2 R,  the  single  message  per  guard/sector  property  cannot 
be  used  to  detect  a  wormhole  attack  since  the  disks  As,  A0  do  not  overlap  ( Ac  =  0).  For  distances 
||  s  —  O ||  >  2 R,  a  wormhole  attack  can  be  detected  using  the  communication  range  constraint 
property  detailed  next. 
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Communication  range  constraint  property 

The  set  of  guards  GHS  heard  by  a  node  s  has  to  satisfy  the  Communication  Range  constraint  (CR). 
Given  the  coordinates  of  node  s,  all  guards  heard  should  lie  within  a  circle  of  radius  R,  centered 
at  s.  Since  node  s  is  not  aware  of  its  location,  it  relies  on  its  knowledge  of  the  guard-to-node 
communication  range  R  to  verify  that  the  set  GHS  satisfies  the  communication  range  constraint. 

Proposition  5  Communication  Range  constraint  property  (CR):  A  node  s  cannot  hear  two  guards 
gi,gj  €  GHS,  that  are  more  than  2 R  apart,  (i.e.,  \\gt  —  g3 1|  <  2 R,  \/i,j,  i  /  j). 

Proof  10  Any  guard  gi  €  GHS  heard  by  node  s,  has  to  lie  within  a  circle  of  radius  R,  centered  at 
the  node  s  (area  As  in  1.4(a)),  \\gi  —  s||  <  R,Mi  €  GHS.  Hence,  there  cannot  be  two  guards  within 
a  circle  of  radius  R,  that  are  more  than  2 R  apart. 

hi  -  9j\\  =  hi  -  S  +  s  -gj\\  <  hi  -  «||  +  \\s  -  gj\\  <  R  +  R  =  2 R.  (2.19) 


Recall  that  guards  include  their  coordinates  with  every  transmission  of  fractional  keys  and, 
hence,  a  node  s  knows  the  location  of  all  the  guards  gi  €  GHS.  Using  the  guards’  coordinates, 
a  node  can  detect  a  wormhole  attack  if  the  communication  range  constraint  property  is  violated. 
We  now  compute  the  probability  P(CR )  of  detecting  a  wormhole  attack  using  the  communication 
range  constraint  property. 

Proposition  6  A  wormhole  attack  is  detected  using  the  communication  range  constraint  property, 
with  a  probability 

P{CR )  >  ^1  —  e~Ps,Ai^j  ,  with  A*  =  d\J R2  —  d2  —  R2  tan-1  ’  (2.20) 

andd= 

Proof  11  The  proof  of  Proposition  6  is  the  same  as  the  proof  of  Proposition  2. 


Detection  probability  P^et.  of  the  wormhole  attack 

We  now  combine  the  two  detection  mechanisms,  namely  the  single  message  per  guard/sector  prop¬ 
erty  and  the  communication  range  constraint  property,  for  computing  the  detection  probability  of 
a  wormhole  attack  during  the  broadcast  of  the  fractional  keys. 

Proposition  7  The  detection  probability  of  a  wormhole  attack  during  the  broadcast  of  fractional 
keys  is  lower  bounded  by  Pdet  >  (1  —  e~PgAc)  +  (1  —  e~phAi  )2e~pgAc. 
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Figure  2.10:  A  lower  bound  on  the  wormhole  detection  probability  Pdet- 


In  figure  2.10,  we  show  the  lower  bound  on  P^et  vs.  the  guard  density  pg  and  the  distance 
|| s  —  O ||  normalized  over  R.  For  values  of  ||s  —  0||  >  4P,  Pcr  =  1,  and,  hence,  a  wormhole  attack 
is  always  detected.  From  figure  1.6(c),  we  observe  that  a  wormhole  attack  during  the  distribution 
of  the  fractional  keys  is  detected  with  a  probability  very  close  to  unity,  independent  of  where  the 
origin  and  destination  point  of  the  attack  are  located.  The  intuition  behind  (??)  is  that  there 
is  at  most  (1  —  Pdet)  probability  for  a  specific  realization  of  the  network,  to  have  an  origin  and 
destination  point  where  a  wormhole  attack  would  be  successful.  Even  if  such  realization  occurs, 
the  attacker  has  to  acquire  full  knowledge  of  the  network  topology  and,  based  on  the  geometry, 
locate  the  origin  and  destination  point  where  the  wormhole  link  can  be  established. 

2.4.3  Key  establishment  in  the  presence  of  wormholes 

Although  a  wormhole  can  be  detected  using  the  two  detection  mechanisms,  a  node  under  attack 
cannot  distinguish  the  valid  subset  of  guards  from  the  replayed  ones.  Once  a  wormhole  is  detected, 
there  needs  to  be  an  additional  mechanism  to  identify  the  set  of  guards  directly  heard  to  the  node, 
from  those  replayed.  We  now  describe  the  Closest  Guard  Algorithm  ( CGA )  that  resolves  the  guard 
ambiguity. 


Closest  Guard  Algorithm  (CGA) 

Assume  that  a  node  s  authenticates  a  set  of  guards  GH'S,  but  detects  that  it  is  under  attack.  To 
determine  the  valid  set  of  guards  (guards  within  one  hop  from  s),  node  s  executes  the  following 
three-step  algorithm: 

Step  1:  The  node  s  broadcasts  a  message  containing  a  Closest  Guard  Reply  Request  CGRJIEQ 
and  a  nonce  r]s  encrypted  with  the  globally  shared  key  Kq,  and  its  Ids  concatenated  at  the 
end  of  the  encrypted  part  of  the  message.  The  message  format  of  the  request  transmitted  by 
sensor  s  is  as  follows 

{CGRJtEQ\\Vs}Ko\\Ids. 
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Closest  Guard  Algorithm  (CGA) 


GH'S  :  Guards  heard  by  node  s 
s  :  broadcast  {CGR-REQ\\rjs} k0 \\Ids 
forallgi  a  \\gi  -  s\\  <  r(Dg)-y 

gi  ■  broadcast  {(XilYi)\\J(Vs)\\Hn-k(PWi)}KaJ\Idgx 
endfor 

s  :  identify  g[  G  GH'S  that  replies  first  with  the  correct  J{j]s) 
s  :  set  GHS  :  {gt  €  GH'S  a  \\g[  -  ^||  <  2R} 

Figure  2.11:  The  pseudo-code  for  the  Closest  Guard  Algorithm  (CGA).  A  node  under  a  wormhole  attack  uses  the 
CGA  to  separate  the  valid  set  of  guards  (one-hop)  from  the  replayed  ones. 

Step  2:  Every  guard  hearing  the  message  broadcasted  from  s  replies  with  a  message  containing 
J(rjs ),  where  J(x)  is  a  computationally  efficient  function,  such  as  J(x)  =  x—  1,  its  coordinates, 
the  next  hash  value  of  its  chain  that  has  not  been  published,  and  its  Idg.  The  message  is 
encrypted  using  the  pairwise  key  Ksgji ,  shared  between  the  sensor  s  and  each  guard  g%.  The 
message  format  broadcasted  by  each  guard  gi  hearing  the  sensor’s  request  is  as  follows 

{ (Xi,  Yi)\\J(r]s)\\Hn~k(PWi)\  || Idgi. 

The  node  identifies  the  guard  g[ ,  whose  reply  arrives  first  as  the  closest  guard  to  s. 

Step  3:  Using  the  communication  range  constraint  property,  node  s  identifies  the  valid  set  of 
guards  GHS  as  all  the  guards  that  are  not  more  than  2 R  away6  from  g[  and  uses  the  fractional 
keys  received  from  GHS  to  establish  pairwise  keys  and  LBKs  with  its  immediate  neighbors. 
Figure  2.11  summarizes  the  steps  of  the  CGA  algorithm.  Note  that  in  order  for  a  node  s  to 
identify  its  closest  guard,  we  assume  that  no  packet  loss  occurs  during  the  execution  of  the 
CGA.' 

An  implementation  issue  with  the  CGA  algorithm  involves  collisions  of  multiple  CGA_REQ 
messages  at  the  guards  and  collisions  of  multiple  replies  at  the  nodes.  Known  techniques  for  multiple 
access  of  the  same  medium,  such  as  CSMA  protocols  [49]  and/or  CDMA  mode  of  communication 
[137]  can  be  employed  to  enable  the  use  of  the  same  medium  by  multiple  users.  To  mitigate  the 
effect  of  collisions  at  the  guards,  nodes  may  randomize  the  time  of  broadcasting  the  CGA_REQ 
messages.  Note  that  just  a  few  nodes  that  are  under  attack  need  to  execute  the  CGA  algorithm, 
unless  the  adversary  performs  a  large  scale  wormhole  attack  by  deploying  multiple  wormhole  links 
to  attack  many  nodes  at  once. 

For  the  case  of  collisions  of  replies  originating  from  guards  occurring  at  the  node  side,  note  that 
although  a  node  may  hear  several  guards,  it  can  only  bi-directionally  communicate  with  a  small 
fraction  of  the  guards  it  hears,  since  regular  nodes  have  a  much  smaller  communication  range  than 
guards.  In  fact,  in  our  deployment,  bi-directional  communication  with  only  one  guard  is  sufficient 
to  resolve  the  ambiguity  between  the  valid  set  of  guards  and  the  replayed  one.  Hence,  not  many 
guards  (if  more  than  one)  will  reply  to  the  node’s  request.  Moreover,  in  order  to  provide  a  valid 
response  from  the  replayed  set  of  one-hop  guards,  an  adversary  needs  to  (a)  record  the  CGA_REQ 
transmitted  by  the  node,  (b)  tunnel  it  via  the  wormhole  link  at  the  origin  point  of  the  attack,  (c) 
replay  it  at  the  origin  point  of  the  attack,  (d)  record  the  guards  reply,  (e)  tunnel  the  reply  via 
the  wormhole  link  to  the  destination  point  of  the  attack,  and  (f)  replay  the  guards’  reply  at  the 

6In  the  case  where  the  guards  are  equipped  with  directional  antennas,  node  s  identifies  the  valid  set  of  guards 
GHa  as  all  the  guards  whose  sectors  overlap  with  the  sector  of  the  closest  guard  g[. 
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destination  point.  However,  any  replies  from  the  replayed  guards  will  arrive  at  the  node  much  later 
than  the  reply  originating  from  the  one- hop  guards7.  Hence,  the  replies  provided  by  the  attacker 
will  not  collide  with  the  one  provided  by  the  closest  guard. 

In  the  case  where  no  additional  mechanism  exists  to  resolve  collisions,  the  node  can  engage  in  a 
challenge-response  protocol  with  each  guard  within  the  set  GH'S,  such  as  the  one  in  [89].  In  order 
to  compare  the  distances  between  different  guards,  the  node  needs  to  be  equipped  with  an  accurate 
timer,  so  that  it  can  measure  the  round-trip-time  (RTT)  in  the  challenge-response  exchange.  Using 
the  RTT  from  the  challenge-response  for  different  guards,  the  node  can  identify  the  closest  guard 
and,  hence,  the  valid  set  of  guards.  In  our  present  scheme,  nodes  are  not  required  to  be  equipped 
with  such  accurate  timers  (that  was  the  reason  why  the  CGA  was  proposed  as  opposed  to  a  method 
that  uses  timers).  However,  if  nodes  can  be  equipped  with  timers,  the  node  can  also  reject  any  reply 

that  has  an  RTT  longer  than  2-1— j—  +  5,  where  r(Dg )t  denotes  the  node-to-guard  communication 
range,  c  denotes  the  speed  of  light,  and  5  denotes  an  upper  bound  on  the  guard  processing  delay. 

i 

t( D  ^  T  _ 

Hence,  the  node  can  verify  that  any  reply  with  a  RTT  smaller  than  2  v  ^ — |-5  comes  from  a  guard 

i 
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within  its  range  and  can  reject  those  replies  taking  more  than  2  — —  +  6. 


2.5  Performance  Evaluation 

In  this  section,  we  provide  simulation  studies  that  evaluate  to  what  extent  our  method  prevents  the 
wormhole  attack.  For  varying  network  parameters,  we  evaluate  the  percentage  of  one-hop  neighbors 
that  are  able  to  establish  a  pairwise  key  and,  hence,  a  local  broadcast  key,  as  a  function  of  the 
threshold  th.  We  also  evaluate  the  percentage  of  non-immediate  neighbors  that  have  more  than  th 
fractional  keys  in  common,  as  a  function  of  th.  Finally,  we  show  that  in  the  case  where  it  is  possible 
to  establish  a  wormhole  link,  that  link  is  no  longer  than  two  hops,  and  based  on  our  simulation 
results,  we  provide  the  rationale  to  determine  the  appropriate  threshold  value  to  establish  LBK  for 
each  network  setup. 


2.5.1  Simulation  setup 

We  generated  random  network  topologies  confined  in  a  square  area  of  size  *4=10, 000m2.  For  each 
network  topology  we  randomly  placed  5,000  nodes  within  A,  equivalent  to  a  node  density  of  ps  = 
0.5  nodes/m2  We  then  randomly  placed  the  guards  with  density  pg ,  varying  from  0.005  to  0.05 
guards/m2.  To  ensure  statistical  validity,  we  repeated  each  experiment  for  1,000  networks  and 
averaged  the  results. 

Since  the  level  of  protection  against  wormholes  depends  upon  the  guard  density  pg ,  we  want 
to  maintain  a  constant  density  across  the  whole  network  deployment  area.  However,  if  we  deploy 
guards  in  the  same  area  as  the  nodes  of  the  network,  nodes  located  at  the  border  of  the  deployment 
area  will  experience  a  smaller  guard  density  than  nodes  in  the  center  of  the  area.  To  eliminate  the 
border  effects,  we  need  to  over-deploy  guards  at  the  borders  of  the  borders  of  the  deployment  area 
or  deploy  guards  at  a  slightly  larger  area  than  the  area  of  the  nodes. 

To  illustrate  how  deploying  guards  at  a  larger  area  can  address  the  border  effects  issue,  assume 
that  nodes  are  to  be  deployed  in  a  square  of  size  A=  AxA.  In  order  to  provide  the  same  level 
of  security  at  the  borders  as  in  the  inside  of  the  deployment  area,  we  randomly  deploy  guards 

'Note  that  we  have  assumed  that  the  adversary  does  not  jam  the  communication  medium. 
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(a)  (b) 

Figure  2.12:  Percentage  of  immediate  neighbors  that  share  more  than  th  fractional  keys  for  rs  =  0.5  nodes/m2, 
A=  10,000m2  when,  (a)  different  antennas  are  used  at  the  guards  and  rg  =  0.01  guards/m2,  (b)  different  antennas 
are  used  at  the  guards  and  rg  =  0.04  guards  m2. 


within  a  square  of  size  (A  +  R)x(A  +  R ),  where  R  is  the  guard-to-node  communication  range.  The 
number  of  guards  that  need  to  be  over-deployed  in  order  to  eliminate  the  border  effects  is  equal 
to  Gover  =  pg(R2  +  2 AR).  In  our  performance  evaluation,  we  simulated  the  constant  deployment 
density  by  deploying  guards  in  the  area  {A  +  R)x(A  +  R)  and  nodes  in  the  area  AxA. 

In  addition,  as  described  in  Section  2.3.3,  we  allowed  each  node  s  to  locally  compute  the 
threshold  based  on  the  number  of  guards  \GHS\  that  it  hears.  Hence,  depending  on  \GHS\,  each 
node  selects  a  different  threshold  value  equal  to  th  =  \GHS\  —  c,  where  c  is  some  constant  value. 
Our  simulation  graphs  provide  a  mechanism  to  choose  the  appropriate  value  for  the  constant  c,  in 
order  to  maximize  the  probability  of  key  establishment  with  one-hop  neighbors,  while  keeping  the 
probability  of  sharing  more  than  the  threshold  keys  with  non-immediate  neighbors  below  a  desired 
value.  In  order  to  refer  all  results  to  a  common  axis,  we  use  \GHS\  —  th  instead  of  th. 

2.5.2  Key  establishment  with  one-hop  neighbors 

In  our  first  experiment,  we  evaluated  the  percentage  of  one-hop  (immediate)  neighbors  Pimmed  that 
each  node  is  able  to  establish  a  pairwise  key  with,  as  a  function  of  the  threshold  th,  the  guard 
density  pg  and  the  number  of  antenna  sectors  M  used  by  the  guards.  In  figure  2.12(a),  we  present 
Pimmed,  vs.  \GHS  \  —  th,  for  a  guard  density  pg  =  0.01  guards/m2  and  for  different  antennas  sectors. 
We  observe  that  for  a  threshold  value  th  <  \GHS\  —  5,  the  nodes  establish  a  pairwise  key  with 
almost  all  their  neighbors  when  omnidirectional  or  sectored  antennas  with  M  =  3, 4, 6,  8  sectors 
are  used  ( Pimmed  >  0.99).  For  M  =  16  we  achieve8  a  Pimmed  >  0.99  for  threshold  values  smaller 

8In  today’s  technology,  it  may  seem  excessive  to  assume  that  guard  nodes  have  16  antennas  each.  However,  as  the 
frequency  used  for  communication  increases,  the  size  of  the  antennas  will  decrease  and,  hence,  in  the  near  future  it 
will  be  feasible  to  install  more  directional  antennas  in  a  single  guard.  Furthermore,  the  use  of  multiple-array  patched 
antennas  (antennas  integrated  on  a  chip)  has  enabled  the  implementation  of  directional  antennas  of  very  small  factor. 
The  goal  of  simulating  such  a  high  number  of  antennas  at  the  guards  is  to  explore  the  tradeoff  between  hardware 
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(a) 


(b) 


Figure  2.13:  Percentage  of  immediate  neighbors  that  share  more  than  th  fractional  keys  for  rs  =  0.5  nodes/m2, 
A=  10,  000m2  when,  (a)  omnidirectional  antennas  are  used  at  the  guards  and  rg  varies,  (b)  4-sector  directional 
antennas  are  used  at  the  guards  and  rg  varies. 


than  th  <  \GHS\  —  7. 

Note  that  the  use  of  directional  antennas  does  not  significantly  affect  the  threshold  value  for 
which  nodes  are  able  to  establish  pairwise  keys  with  their  immediate  neighbors.  This  fact  is  an 
indication  that  immediate  neighbors  hear  the  same  antenna  sectors  and,  hence,  acquire  the  same 
fractional  keys.  However,  when  directional  antennas  are  used,  less  neighbors  more  than  one-hop 
away  will  share  more  than  th  fractional  keys  as  we  will  show  in  our  second  experiment. 

In  figure  2.12(b),  we  present  Pimmed  vs.  \GHS\  —  th  for  a  higher  guard  density  pg  =  0.04 
guards/m2.  We  observe  that  for  pg  =  0.04  guards/m2  we  need  a  threshold  value  th  <  \GHS\  —  13 
to  allow  all  one-hop  neighbors  to  establish  pairwise  keys.  Since  for  pg  =  0.04  guards/m2  each 
node  hears  almost  four  times  more  guards  than  for  pg  =  0.01  guards/m2,  more  guards  are  likely 
to  be  heard  only  to  a  fraction  of  the  local  neighborhood  rather  than  the  whole.  Hence,  we  need  a 
threshold  value  significantly  lower  than  GHS  to  allow  all  immediate  neighbors  to  share  a  sufficient 
number  of  fractional  keys  for  establishing  a  pairwise  key.  To  further  reinforce  this  fact,  in  figures 
2.13(a)  and  2.13(b)  we  present  Pimmed  vs.  \GHS\  —  th,  for  varying  guard  densities  pg,  and  for 
omnidirectional  and  4-sector  directional  antennas,  respectively.  We  observe  that  from  pg  =  0.005 
guards/m2  to  pg  =  0.05  guards  m2  we  need  to  increase  the  \GHS\  —  th  by  10  in  order  to  achieve 
the  Same  Pimmed • 

In  figures  2.14(a)  and  2.14(b),  we  present  Pimmed  vs.  \GHS\  —  th  for  varying  guard-to-node 
communication  ranges  R,  for  omnidirectional  and  eight-sector  directional  antennas,  respectively. 
We  observe  that  as  the  communication  range  R  increases  we  need  a  higher  difference  \GHS\  —  th 
in  order  to  achieve  the  same  Pimmed ■  This  is  due  to  the  fact  that  as  R  increases,  each  node  is  able 
to  hear  more  guards  (same  effect  as  increasing  the  guard  density  pg).  Hence,  out  of  the  bigger  set 
of  possible  guards  heard,  more  guards  are  heard  only  to  a  fraction  of  the  local  neighborhood,  and 
a  lower  threshold  value  relative  to  \GHS\  is  needed  to  allow  all  immediate  neighbors  to  share  more 
than  th  fractional  keys. 

complexity  and  level  of  security. 
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(a)  (b) 

Figure  2.14:  Percentage  of  immediate  neighbors  that  share  more  than  th  fractional  keys  for  rs  =  0.5,  A=  10,000 
when,  (a)  Omnidirectional  antennas  are  used  at  the  guards,  rg  =  0.03,  and  R  varies,  (b)  8-sector  antennas  are  used 
at  the  guards,  rg  =  0.03,  and  R  varies. 


2.5.3  Isolation  of  non-immediate  neighbors 

In  order  to  prevent  wormhole  attacks,  we  must  ensure  that  non-immediate  neighbors  remain  isolated 
by  not  being  able  to  establish  a  pairwise  key.  In  our  second  experiment,  we  evaluated  the  percentage 
of  non-immediate  neighbors  Pnon-im  that  share  more  than  th  fractional  keys  as  a  function  of  th,  for 
different  guard  densities  pg  and  number  of  antenna  sectors  M.  For  each  node,  we  took  into  account 
in  the  percentage  calculation  only  those  neighbors  that  heard  at  least  one  common  guard  with  the 
node  under  consideration. 

In  figure  2.15(a),  we  show  pnon-im  vs.  \GHS\  —  th  in  a  logarithmic  scale  for  a  guard  density  of 
pg  =  0.01  guards/m2.  From  figure  2.15(a),  we  observe  that  the  use  of  directional  antennas  can  drop 
the  Pnon-im  up  to  half  compared  to  the  omnidirectional  antennas  case,  at  the  expense  of  hardware 
complexity  at  the  guards.  For  example,  for  a  threshold  value  th  =  | GHS\  —  3,  Pnon-im  =0.0358, 
0.0280,  0.0252,  0.0236,  0.0197,  0.0118  for  M  =  1,  3,  4,  6,  8,  16  antenna  sectors,  respectively.  In  figure 
2.15(b),  we  present  pnon-im  vs.  \GHS\  —  th  for  a  guard  density  pg  =  0.04  guards/m2.  We  observe 
that  for  a  higher  guard  density  we  are  able  to  further  limit  the  number  of  non-immediate  neighbors 
that  share  more  than  th  fractional  keys.  For  example,  when  th  =  \GHS\  —  10,  Pnon-im  =0.0117, 
0.091,  0.089,  0.0079,  0.0068,  0.004  for  M  =1,  3,  4,  6,  8,  16  antenna  sectors,  respectively. 

In  figures  2.16(a),  (b)  we  present  pnon-im  vs.  \GHS\  —  th  for  varying  guard  densities  and  show 
how  we  achieve  higher  isolation  of  non-immediate  neighbors  with  the  increase  of  py.  In  figure 
2.17(a),  we  present  Pnon-im  for  different  guard-to-node  communication  ranges  R  and  show  how  we 
achieve  higher  isolation  of  non-immediate  neighbors  with  the  increase  of  R.  As  expected,  a  higher 
guard  density  pg  and  a  higher  R  achieve  better  non-immediate  neighbor  isolation  for  all  values  of 
the  threshold  th,  since  for  both  cases  the  set  of  guards  heard  at  each  node  becomes  bigger  and  more 
guards  are  only  heard  to  a  fraction  of  the  non-immediate  neighbors. 
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(a)  (b) 

Figure  2.15:  Percentage  of  non-immediate  neighbors  that  share  more  than  th  fractional  keys  for  r3  =  0.5  nodes/m2, 
A=  10,  000?n2  when  (a)  different  antennas  are  used  at  the  guards  and  rg  =  0.01  guards/m2,  (b)  different  antennas 
are  used  at  the  guards  and  rg  =  0.04  guards  m2. 


2.5.4  Length  of  a  potential  wormhole  link 

Our  simulation  results  confirmed  that  by  choosing  appropriate  network  parameters,  namely  guard- 
to-node  communication  range  R,  guard  density  pg ,  and  number  of  directional  antennas  M,  we  can 
eliminate  wormhole  links  with  a  very  high  probability.  An  adversary  would  have  to  gain  a  global 
view  of  the  network  topology  by  knowing  all  the  locations  of  the  nodes  and  the  guards  in  order  to 
identify,  if  any,  a  potential  origin  and  destination  point  to  launch  its  attack.  In  this  section,  we 
show  that  even  in  the  case  where  that  adversary  does  identify  two  points  to  launch  his  attack,  the 
length  of  the  wormhole  link  established  is  not  longer  than  two  hops.  In  fact,  any  non-immediate 
neighbors  that  share  more  than  th  fractional  keys  are  located  just  outside  the  perimeter  that  defines 
their  node-to-node  communication  range  r. 

In  figure  2.17(b),  we  show  the  average  distance  normalized  over  r,  between  non-immediate 
neighbors  that  have  in  common  more  than  th  fractional  keys.  We  observe  that  for  threshold  values 
lower  than  th  <  \GHS  \  — 10,  all  non-immediate  neighbors  that  share  sufficient  fractional  keys  are  no 
more  than  two  hops  away,  regardless  of  the  number  of  directional  antennas  used  at  the  guards.  As 
the  threshold  increases  towards  its  maximum  value  |  GHS  | ,  the  length  of  any  potential  wormhole  link 
becomes  smaller.  For  example,  by  examining  figures  2.15(b)  and  2.17(b),  for  16-sector  directional 
antennas  and  th  =  \GHS\  —  5,  an  attacker  has  a  Pnon-im  =  0.0004  probability  to  establish  a 
wormhole  link  between  two  non-immediate  neighbors  and  that  the  link  is  1.05r  long. 

The  worst  case  result  of  our  approach  allows  the  establishment  of  two-hop  wormhole  links 
with  a  very  small  probability.  Those  wormhole  links  can  be  a  disruption  for  the  nodes  around  the 
destination  point.  However,  the  impact  of  such  wormholes  is  localized  in  the  two-hop  neighborhood 
around  the  destination  point  of  the  wormhole  attack  and  does  not  affect  the  whole  network.  To 
illustrate  this,  consider  a  wormhole  attack  against  a  distance  vector-based  routing  protocol  as  shown 
in  figure  2.1(a)  of  Section  2.1.  If  a  wormhole  link  is  established  between  nodes  s 3  and  s 4,  no  traffic 
will  be  affected  except  for  the  messages  directed  from  S3  to  S4.  On  the  other  hand,  if  a  wormhole  link 
is  established  between  nodes  s 6  and  sg,  all  traffic  that  is  passing  through  the  vertex  cut  between  s q 
and  sg  will  be  controlled  by  the  attacker.  While  in  our  simple  example  the  minimum  cut  between 
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(a)  (b) 

Figure  2.16:  Percentage  of  non-immediate  neighbors  that  share  more  than  th  fractional  keys  for  r3  =  0.5,  A=  10,  000 
when,  (a)  Omnidirectional  antennas  are  used  at  the  guards  and  rg  varies,  (b)  16-sector  directional  antennas  are  used 
at  the  guards  and  rg  varies. 


nodes  si  ~  S7  and  sg  ~  S13  consists  of  only  one  edge,  in  real  network  deployment  scenarios  the 
minimum  cut  is  expected  to  have  a  much  bigger  size,  due  to  the  high  network  density  and  size9. 

Another  possible  effect  of  a  short  wormhole  is  to  disrupt  the  communication  of  certain  key  nodes 
of  the  network.  As  previously  noted  in  the  paper,  a  two-hop  wormhole  can  force  a  single  node  to 
route  through  the  wormhole  link  and  give  the  attacker  the  advantage  to  control  the  traffic  flow 
from/to  that  node.  Our  scheme  does  not  prevent  this  type  of  attack.  However,  we  anticipate  that 
the  operation  of  ad  hoc  networks  that  are  envisioned  to  operate  in  a  decentralized  manner  will  not 
be  dependent  upon  the  existence  of  a  single  or  a  small  number  of  “key  nodes”  that  can  be  easily 
targeted  by  an  attacker.  Instead,  the  network  operation  will  depend  on  the  cooperation  principle  of 
an  abundance  of  densely  deployed  devices  with  similar  capabilities.  If  the  network  operation  relies 
on  the  existence  of  few  key  nodes,  the  adversary  can  significantly  disrupt  the  network  by  launching 
a  variety  of  attacks,  such  as  DoS  attacks,  since  a  key  node  is  a  single  point  of  failure. 

Finally,  as  an  example,  short  wormholes  are  not  a  major  network  disruption  in  majority-based 
event-driven  applications  such  as  the  one  described  in  the  figure  2.2  of  Section  2.1.  Revisiting  the 
example  of  temperature  monitoring,  a  clusterhead  triggers  an  alarm  if  the  majority  of  one-hop 
neighbors  reports  a  temperature  measurement  greater  than  a  threshold.  In  the  case  of  a  short 
wormhole,  one  can  anticipate  that  nodes  located  within  a  two-hop  range  from  the  clusterhead  will 
not  have  significantly  different  temperature  readings  compared  to  the  nodes  within  the  one-hop 
range.  Furthermore,  the  number  of  nodes  located  within  the  ring  between  the  circles  of  radius  r  and 
1.05r  centered  at  the  clusterhead  is  significantly  smaller  compared  to  the  number  of  nodes  located 
within  the  disk  of  radius  r  centered  at  the  clusterhead  ([/9s7r(1.05r2  —  r2)]  =  0.0625/9s7rr2)  and, 
hence,  even  if  the  measurements  of  the  two-hop  nodes  are  greater  than  the  threshold,  they  cannot 
overcome  the  majority  of  the  measurements  originating  from  nodes  within  the  communication  range 
r.  As  an  example,  if  r  =  10m  and  ps  =  0.05  nodes/m2,  then  there  are  15.7  nodes  on  average  within 

9Having  a  minimum  cut  of  very  few  edges  leaves  the  network  vulnerable  to  many  types  of  attacks  such  as  DoS 
attacks,  and  node  capture  attacks,  since  it  allows  the  adversary  to  concentrate  its  attack  on  a  very  small  part  of  the 
network. 
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rs  =0.5,  rg  =0.03,  Area=100xl00 


(a)  (b) 


Figure  2.17:  Percentage  of  non-immediate  neighbors  that  share  more  than  th  fractional  keys  for  r3  =  0.5,  A=  10,  000 
when,  (a)  16-sector  directional  antennas  are  used  at  the  guards,  rg  =  0.03,  and  R  varies,  (b)  Average  distance  in 
number  of  hops  between  non-immediate  neighbors  that  share  more  than  th  fractional  keys. 


one  hop  from  the  clusterhead,  while  only  1.6  nodes  on  average  exist  between  r  and  1.05r  from  the 
cluster  head. 

2.5.5  Determining  the  threshold  value 

For  different  system  parameters,  combining  the  plots  for  immediate  and  non-immediate  neighbors, 
we  can  determine  what  is  the  appropriate  threshold  value  to  achieve  both  isolation  of  non-immediate 
neighbors,  and  allow  one-hop  neighbors  to  establish  pairwise  keys.  For  example,  when  pg  =  0.01 
guards/m2,  from  figures  2.12(a)  and  2.15(a),  a  threshold  of  th  =  \GHS\  —  4  isolates  97.91%  of  the 
non-immediate  neighbors,  while  allowing  93.13%  of  one-hop  neighbors  to  establish  pairwise  keys, 
when  M  =  16.  From  figures  2.12(b)  and  2.15(b),  a  threshold  of  th  =  \GHS\  —  14  isolates  99.996% 
of  the  non-immediate  neighbors,  while  allowing  98.64%  of  the  immediate  neighbors  to  establish 
pairwise  keys  for  M  =  16. 

Depending  on  the  hardware  complexity  constraints  at  the  guards  (transmission  power  and  num¬ 
ber  of  directional  antennas)  and  the  security  requirements,  we  can  select  the  appropriate  threshold 
value  th  to  achieve  the  maximum  connectivity  to  immediate  neighbors.  For  example,  if  due  to 
hardware  complexity  constraints  only  omnidirectional  antennas  can  be  used  and  the  required  non- 
immediate  neighbor  isolation  is  above  99%,  one  can  achieve  a  Pimmed  =  0.64  for  pg  =  0.01  when 
th  =  \GHS\  —  2  (see  figures  2.12(a)  and  2.15(a)).  By  increasing  the  guard  density  to  pg  =  0.04 
guards/m2  for  the  same  constraints,  we  can  achieve  a  Pimmed  =  0.90  (see  figures  2.12(b)  and 
2.15(b)).  Hence,  for  any  hardware  constraint  and  security  requirement,  we  can  select  the  threshold 
value  th  and  the  network  parameters,  pg,  R,  so  that  we  maximize  Pimmed,  while  keeping  pnon-im 
below  a  specific  value. 
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pg-0.04,  ps-0.5,  I U j— 400,  Area-IOOxlOO  Pa=0.04,  ps=0.5,  |U|=400,  Area=100x100 


(a) 


(b) 


Figure  2.18:  Network  parameter  values:  rs  =  0.5  nodes/m2,  pg  =  0.04  guards/m2,  A=  10,  000?n2.  (a)  Percentage  of 
immediate  neighbors  that  share  more  than  th  fractional  keys  when  R'  £  [(1  —  f)R,  f?].  (b)  Percentage  of  non- immediate 
neighbors  that  share  more  than  th  fractional  keys  when  R'  £  [(1  —  f)R ,  R}. 


2.5.6  Re-evaluating  the  system  behavior  under  irregular  radio  pattern 

In  our  simulation  study  up  to  Section  2.5.5  we  have  considered  an  idealized  model  for  the  com¬ 
munication  range  of  both  the  guards  and  the  nodes  of  the  network.  Every  guard  has  the  same 
communication  range  R  and  every  node  has  the  same  communication  range  r.  In  this  section,  we 
study  how  the  security  parameters,  namely  the  probability  of  establishing  a  pairwise  key  with  a  one- 
hop  neighbor  Rimmed 5  the  probability  of  sharing  more  than  th  fractional  keys  with  a  non-immediate 
neighbor  pnon-im ,  and  the  length  of  a  potential  wormhole  link  vary,  when  the  communication  range 
R  varies  at  each  direction. 

To  simulate  the  variation  of  the  communication  range  of  each  guard,  we  considered  three  differ¬ 
ent  experiments.  In  the  first  experiment,  each  guard  is  equipped  with  an  omnidirectional  antenna, 
and  for  each  possible  direction  it  has  a  communication  range  R'  that  is  randomly  selected  between 
the  values  of  [(1  —  f)R,  (1  +  f)R],  where  /  denotes  the  fraction  of  variation  of  the  communication 
range10.  We  assigned  to  /  the  values  /  :  {0, 0.1,  0.2, 0.3,  0.4,  0.5}.  During  this  experiment,  nodes 
could  directly  communicate  with  guards  outside  the  nominal  communication  range  R,  on  average, 
every  guard  heard  the  same  number  of  guards  |  GHS  |  as  in  the  case  where  the  communication  range 
R  did  not  vary.  Hence,  the  probability  of  establishing  a  pairwise  key  with  a  one-hop  neighbor 
Pimmedi  the  probability  of  sharing  more  than  th  fractional  keys  with  a  non-immediate  neighbor 
Pnon-im ,  and  the  length  of  a  potential  wormhole  link  did  not  show  any  variation. 

In  the  second  experiment,  we  biased  the  communication  range  of  each  guard  to  have  smaller 
values  than  the  nominal  communication  range  R.  Specifically,  we  assigned  to  each  guard  a  com¬ 
munication  range  value  randomly  selected  between  the  values  of  [(1  —  f)R,R\.  Hence,  each  node 
would  hear,  on  average,  a  smaller  number  of  guards  compared  to  the  case  where  the  guard  com¬ 
munication  range  was  equal  to  R  for  all  guards.  In  figure  2.18(a),  we  show  the  Pimmed  vs.  the 
\GHS\  —  th  for  varying  values  of  /.  We  observe  that  the  probability  of  establishing  a  pairwise  key 
with  the  one-hop  neighbor  does  not  vary  significantly  with  the  variation  of  R.  This  is  due  to  the 

10  A  similar  radio  model  was  used  for  the  evaluating  the  performance  of  the  localization  scheme  in  [86]. 
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(a)  (b) 

Figure  2.19:  Network  parameter  values:  ra  =  0.5  nodes/m2,  pg  =  0.04  guards/m2,  A=  10,000m2.  (a)  Average 
distance  in  number  of  hops  between  non-immediate  neighbors  that  share  more  than  th  fractional  keys  when  R'  £ 
[(1  —  f)R,  -R] .  (b)  Percentage  of  immediate  neighbors  that  share  more  than  th  fractional  keys  when  R'  £  [R,  (1  +  f)R] . 
fact  that  the  threshold  is  locally  decided  at  each  node  and  , hence,  the  parameter  that  affects  the 
Pimmed  is  the  threshold  relative  to  \GHS\  and  not  the  absolute  value  of  GHS.  Furthermore,  as  we 
observe  in  figure  2.17(a),  varying  the  value  of  R  does  not  have  a  significant  impact  on  Pimmed- 
In  figure  2.18(b),  we  show  the  probability  for  two  non-immediate  neighbors  to  share  more 
fractional  keys  than  the  threshold,  vs.  \GHS\  —  th  for  varying  values  of  /.  We  observe  that  as  / 
increases,  the  curves  for  the  Pn0n-im  are  shifted  to  the  left  of  the  graph.  This  is  essentially  the 
same  result  as  if  we  were  decreasing  the  density  of  the  guards  (i.e. ,  each  node  would  hear  a  smaller 
number  of  guards  (see  figure  2.16(a))).  In  figure  2.19(a),  we  show  the  average  distance  normalized 
over  r  between  non-immediate  neighbors  that  have  in  common  more  than  th  fractional  keys.  We 
observe  that  for  threshold  values  lower  than  th  <  \GHS\  —  10,  all  non-immediate  neighbors  that 
share  sufficient  fractional  keys  are  no  more  than  two  hops  away,  for  any  value  of  the  fraction  /. 
We  also  note  that  when  the  communication  range  of  the  guards  is  smaller  than  the  nominal  range 
R,  the  average  wormhole  length  increases  (the  curves  of  the  wormhole  length  are  shifted  to  the 
left).  This  is  due  to  the  fact  that  as  the  fraction  /  increases,  each  node  hears,  on  average,  a  smaller 
number  of  guards.  Hence,  it  is  more  probable  that  two  nodes  not  within  communication  range  have 
in  common  a  smaller  number  of  fractional  keys. 

In  the  third  experiment,  we  biased  the  communication  range  of  each  guard  to  have  higher  values 
than  the  nominal  communication  range  R.  Specifically,  we  assigned  to  each  guard  a  communication 
range  value  randomly  selected  between  the  values  of  [R,  (1  +  f)R].  Hence,  each  node  would  hear, 
on  average,  a  higher  number  of  guards  compared  to  the  case  where  the  guard  communication  range 
was  equal  to  R  for  all  guards.  In  figure  2.19(b),  we  show  the  Pimmed  vs.  the  \GHS\  —  th  for  varying 
values  of  /.  Again,  the  probability  of  establishing  a  pairwise  key  with  the  one-hop  neighbor  does 
not  vary  significantly  with  the  variation  of  R.  This  result  is  consistent  with  the  graph  of  figure 
2.13(a),  where  the  variation  of  R  does  not  have  a  significant  impact  on  Pimmed- 

In  figure  2.20(a),  we  show  the  probability  for  two  non-immediate  neighbors  to  share  more 
fractional  keys  than  the  threshold  vs.  \GHS\  —  th  for  varying  values  of  /.  We  observe  that  as  / 
increases,  the  curves  for  the  Pnon-im  are  shifted  to  the  right  of  the  graph.  This  is  essentially  the 
same  result  as  if  we  were  increasing  the  density  of  the  guards,  (i.e.,  each  node  would  hear  a  higher 
number  of  guards  (see  figure  2.16(a))).  In  figure  2.20(b),  we  show  the  average  distance  normalized 
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(b) 


Figure  2.20:  Network  parameter  values:  rs  =  0.5  nodes/m2,  pg  =  0.04  guards/m2,  A=  10, 000m2.  (a)  Percentage 
of  non- immediate  neighbors  that  share  more  than  th  fractional  keys  when  R'  £  [fi,  (1  +  f)R].  (b)  Average  distance  in 
number  of  hops  between  non- immediate  neighbors  that  share  more  than  th  fractional  keys  when  R'  £  [7?,  (1  +  f)R]. 


over  r  between  non-immediate  neighbors  that  have  in  common  more  than  th  fractional  keys.  We 
observe  that  for  threshold  values  lower  than  th  <  \GHS\  —  10,  all  non-immediate  neighbors  that 
share  sufficient  fractional  keys  are  no  more  than  two  hops  away,  for  any  value  of  the  fraction  /. 
We  also  note  that  when  the  communication  range  variation  is  biased  towards  a  higher  value  than 
the  nominal  communication  range  R,  the  average  wormhole  length  decreases  (the  curves  of  the 
wormhole  length  are  shifted  to  the  left).  This  is  due  to  the  fact  that  as  the  fraction  /  increases, 
each  node  hears,  on  average,  a  higher  number  of  guards.  Hence,  it  is  less  probable  that  two  nodes 
not  within  communication  range  have  in  common  a  higher  number  of  fractional  keys. 

As  a  conclusion,  based  on  our  simulation  results,  we  showed  that  our  system  can  adapt  to  the 
variation  of  the  communication  range  at  the  guards,  since  the  threshold  value  is  decided  based 
on  the  number  of  guards  heard  at  each  node  \GHS\.  While  the  variation  of  the  communication 
range  R  affects  the  absolute  value  of  GHS ,  each  node  locally  adapts  its  threshold  to  account  for 
the  variation. 


2.6  Related  Work 

2.6.1  Previously  proposed  mechanisms  for  preventing  the  wormhole  attack. 

The  wormhole  attack  in  wireless  ad-hoc  networks  was  first  introduced  in  [90,127].  In  [90],  Hu  et  al. 
propose  two  solutions  for  the  wormhole  attack.  The  first  is  based  upon  the  notion  of  geographical 
leashes.  Each  node  includes  in  every  packet  its  location  lt  and  a  timestamp  indicating  the  time 
ts  the  packet  is  sent.  Since  nodes  are  loosely  synchronized,  when  a  node  with  location  lj  receives 
a  packet  at  time  tp,  it  verifies  the  packet  could  have  traveled  the  distance  \\U  —  lj ||  +  6  in  a  time 
tp  —  ts  +  A,  where  6  is  the  location  error  and  A  is  the  synchronization  error. 

The  second  solution  in  [90]  is  based  on  temporal  leashes.  To  implement  a  temporal  leash,  the 
sender  includes  in  every  packet  a  timestamp  ts  indicating  the  time  ts  the  packet  is  sent  and  an 
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expiration  time  te.  A  node  that  receives  a  packet  at  time  tr  verifies  that  tr  <  te  before  it  accepts  the 
packet.  Temporal  packet  leashes  require  tight  synchronization  between  all  nodes  of  the  network. 
To  illustrate  the  importance  of  the  synchronization  error  if  the  sender’s  time  is  A  time  units  ahead 
of  the  receiver’s  time,  a  packet  can  travel  a  distance  up  to  A  *  c  (c  =  3  x  108  m/ sec)  longer  than 
the  distance  imposed  by  the  expiration  time  te.  Similarly  if  the  sender’s  time  is  A  units  behind  the 
receiver’s  time,  the  receiver  has  to  lie  within  a  distance  A  *  c  closer  to  the  sender,  compared  to  the 
distance  imposed  by  te.  Hence,  the  synchronization  error  should  be  in  the  order  of  nanoseconds  for 
the  synchronization  error  to  be  negligible. 

In  [89],  Hu  et  al.  provide  a  bounding  distance  protocol  based  on  [56]  that  utilizes  a  three-way 
handshake  scheme  to  ensure  that  the  communicating  parties  are  within  some  distance.  The  sender 
sends  a  challenge  to  a  receiver,  who  replies  immediately  with  a  response.  The  sender  acknowledges 
the  response  by  another  response  to  complete  the  three-way  handshake.  Both  parties  verify  that 
they  lie  within  some  distance  by  multiplying  the  round-trip  time  of  flight  with  the  speed  of  light. 
Though  this  protocol  does  not  require  the  two  nodes  to  be  synchronized  in  order  for  the  protocol  to 
be  executed,  each  node  needs  to  have  immediate  access  to  the  radio  transmitter  in  order  to  bypass 
any  queuing  and  processing  delays.  In  addition,  nodes  should  be  equipped  with  highly  accurate 
clocks  with  nanosecond  precision  to  avoid  distance  enlargement. 

In  [169],  Zhu  et  al.  propose  a  cryptographic  solution  as  a  defense  mechanism  against  the 
wormhole.  Based  on  pre-loaded  keys,  nodes  are  able  to  derive  a  pairwise  key  with  any  other 
node  without  the  need  for  any  information  exchange.  Following  a  neighbor  discovery  phase,  nodes 
unicast  to  every  neighbor  a  cluster  key  encrypted  with  the  previously  derived  pairwise  key.  While 
the  network  is  secured  against  the  wormhole  attack  once  pairwise  keys  have  been  established,  the 
authors  of  [169]  point  out  that  the  network  is  still  vulnerable  to  wormholes  during  the  neighbor 
discovery  phase.  If  an  attacker  tunnels  and  replays  the  HELLO  messages  between  two  nodes  that 
are  not  one  hop  neighbors,  the  two  nodes  will  assume  that  they  are  one-hop  away  and  establish  a 
cluster  key. 

A  centralized  solution  for  detecting  wormhole  links,  based  on  multidimensional  scaling  (MDS), 
is  presented  by  Wang  and  Bhargava  [166].  Using  received  signal  strength  measurements,  every 
node  estimates  its  distance  to  all  its  neighbors  and  reports  its  distance  estimates  to  a  powerful 
base  station.  The  base  station  applies  MDS  to  generate  a  visualization  of  the  network  topology.  In 
addition,  a  smoothing  surface  operation  mitigates  the  effects  of  the  error  in  the  distance  estimation. 
In  a  wormhole-free  network,  the  reconstructed  topology  will  correspond  to  a  flat  surface.  However, 
in  the  presence  of  wormholes,  the  surface  is  bent  in  a  circular  pattern  in  order  for  the  two  nodes 
communicating  via  the  wormhole  to  appear  connected.  The  main  limitation  of  this  method  is 
that  it  requires  a  relatively  dense  and  uniformly  distributed  network  to  detect  the  wormhole  links. 
Such  a  visualization  cannot  be  applied  to  networks  with  irregular  shapes,  such  as  a  string  topology 
(nodes  connected  in  one  line)  or  networks  with  string  parts.  In  addition,  based  on  the  simulation 
results  in  [166],  while  the  method  detects  long  wormholes  (several  hops  long),  smaller  wormholes 
(two  to  three  hops  long)  can  stay  undetected  with  a  significantly  high  probability. 

In  [88],  Hu  and  Evans  utilize  directional  antennas  to  prevent  wormhole  links.  Unlike  our  method, 
every  node  of  the  network  is  equipped  with  directional  antennas  and  all  antennas  should  have 
the  same  orientation.  Different  directions  called  zones  are  sequentially  numbered  and  every  node 
includes  the  transmitting  zone  at  each  message.  A  receiver  hearing  information  at  a  zone  A  verifies 
that  the  sender  transmitted  the  message  at  the  correct  zone  B ,  where  A,  B  are  opposite  zones.  Based 
on  information  provided  by  neighbors  that  assist  the  wormhole  detection  by  acting  as  verifiers,  every 
node  discovers  its  neighbors.  As  pointed  out  by  the  authors  of  [88],  a  valid  verifier  must  exist  in 
order  for  the  wormhole  to  be  detected,  since  not  all  neighbors  can  act  as  verifiers.  Finally,  as  noted 
by  the  authors  of  [88],  this  method  can  only  prevent  single  wormholes  and  does  not  secure  the 
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network  against  multiple  wormhole  links  [88]. 


2.6.2  Interpretation  of  related  work  based  on  our  framework 

In  this  section,  we  show  that  previously  proposed  defense  mechanisms  against  the  wormhole  attack 
satisfy  the  graph  theoretic  model  we  presented  in  section  2.1. 

Time-based  methods 

In  time-based  methods  [90],  every  transmitted  message  has  a  limited  lifetime,  less  or  equal  to  the 
communication  range  r  of  the  nodes  divided  by  the  speed  light.  Hence,  messages  cannot  travel 
distances  longer  than  the  communication  range,  and  links  are  only  established  between  direct 
neighbors.  For  any  two  synchronized  neighbors  i,j,  node  i  accepts  a  message  transmitted  at  time 
Ts  from  node  j  if  it  is  received  at  a  time  Tr  <  Ts  +  &  where  c  is  the  speed  of  light.  Hence,  e^j  =  1 
if  and  only  if  ||z  —  j\\  <  r,  a  condition  that  satisfies  the  geometric  graph  model  in  (2.1).  Note  that 
as  a  requirement,  time-based  methods  have  to  use  the  fastest  available  medium  (RF  or  optical 
transmission)  in  order  to  prevent  the  wormhole  attack. 

In  an  alternative  time-based  method  [56,61,89],  nodes  measure  the  time  of  flight  of  a  challenge- 
response  message  before  communicating  with  another  node.  By  limiting  the  time  of  flight  to  twice 
the  communication  range  over  the  speed  of  light,  nodes  ensure  that  they  establish  a  link  only  with 
their  direct  neighbors.  Hence,  time  of  flight  methods  also  satisfy  the  geometric  graph  model  in 
(2.1). 


Location-based  methods 

In  location-based  methods  [90],  every  message  contains  the  coordinates  of  its  origin.  Hence,  any 
receiving  node  can  infer  its  distance  from  the  origin  of  the  message  and  compare  it  to  the  commu¬ 
nication  range  r.  If  ||i  —  j\\  <  r,  the  message  is  accepted,  otherwise  the  message  is  rejected.  Hence, 
a  link  between  two  nodes  i ,  j  can  be  established  etj  =  1  if  and  only  if  ||i  —  j||  <  r,  a  condition  that 
satisfies  the  geometric  graph  model. 


Wormhole  visualization 

In  the  wormhole  visualization  method  [166],  the  base  station  executing  the  Multidimensional  Scaling 
(MDS)  algorithm  constructs  the  logical  graph  G  of  the  network  based  on  the  distance  estimations  of 
each  node  of  the  network.  By  visualizing  wormholes  as  links  that  will  cause  the  flat  network  area  to 
curve  in  a  circular  way  and  eliminating  surface  anomalies,  the  base  station  applies  a  transformation 
to  G  that  reconstructs  the  corresponding  geometric  graph  G. 


2.7  Discussion 

In  our  wormhole  attack  model  in  Section  2.1.1,  we  have  assumed  that  the  adversary  mounting  the 
attack  does  not  compromise  the  integrity  and  authenticity  of  the  communication.  Hence,  the  success 
of  the  attack  is  independent  of  the  cryptographic  methods  used  to  secure  the  communication.  The 
strength  of  the  wormhole  attack  lies  in  the  fact  that  the  adversary  does  not  need  to  compromise  any 
cryptographic  quantities  or  network  nodes  in  order  to  perform  the  attack  in  a  timely  manner.  The 
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lack  of  any  compromised  entities  makes  the  wormhole  attack  “invisible”  to  the  upper  layers  and, 
hence,  the  attack  is  very  difficult  to  detect  [90].  Furthermore,  the  attacker  does  not  need  to  allocate 
any  computational  resources  to  compromise  the  communication,  thus  making  the  wormhole  attack 
very  easy  to  implement. 

Our  most  compelling  argument  for  assuming  no  key  or  host  compromise  in  a  wormhole  attack 
scenario  is  that,  if  the  adversary  were  to  be  able  to  compromise  cryptographic  keys,  there  would 
be  no  need  to  record  messages  at  one  part  of  the  network,  tunnel  them  via  a  low-latency  link,  and 
replay  them  to  some  other  part  of  the  network.  Instead,  the  adversary  could  use  the  compromised 
keys  to  fabricate  any  message  and  inject  it  into  the  network  as  legitimate.  Using  compromised 
keys  to  fabricate  and  inject  bogus  messages  into  the  network,  known  as  the  Sybil  attack  [74, 124], 
is  overall  a  different  problem  than  the  one  addressed  in  this  chapter. 

Since  the  wormhole  attacker  does  not  need  to  compromise  the  network  communications,  we  have 
used  a  globally  shared  symmetric  key  for  the  protection  of  the  beacon  broadcasts  from  the  guards 
in  order  to  achieve  energy-efficient  communications  (utilize  the  broadcast  advantage  of  the  wireless 
medium  in  omnidirectional  transmissions).  We  are  indeed  aware  that  a  compromise  of  a  single 
node  exposes  the  globally  shared  key  and  allows  access  to  the  contents  of  the  guards  broadcasts. 
However,  alternative  methods  for  concealing  and  authenticating  the  broadcasts  of  the  guards  come 
at  the  expense  of  energy-efficiency.  Asymmetric  key  cryptography  is  known  to  be  computationally 
expensive  for  the  energy-constrained  devices  [63].  On  the  other  hand,  using  pairwise  keys  shared 
between  the  guards  and  the  nodes  would  provide  a  higher  level  of  security  under  key  compromise, 
since  only  the  communication  of  the  node  holding  the  pairwise  key  is  exposed.  However,  the  use 
of  pairwise  keys  requires  the  fractional  keys  to  be  unicasted  from  each  guard  to  each  node  within 
the  communication  range,  thus  making  the  use  of  the  wireless  medium  highly  inefficient  in  energy 
resources. 

Furthermore,  under  key  and/or  node  compromise  the  wormhole  problem  essentially  becomes  a 
node  impersonation  (Sybil  attack)  problem  and,  hence,  cannot  be  prevented  by  any  of  the  methods 
that  address  the  wormhole  attack.  To  illustrate  this,  consider  the  case  where  two  nodes  not  within 
range  have  been  compromised  and  that  an  attacker  has  deployed  a  wormhole  link  between  the  two 
nodes11.  In  such  a  case,  the  attacker  can  implement  the  wormhole  attack  via  the  compromised  nodes 
by  recording  the  information  at  the  origin  point,  decrypting  it  and  modifying  necessary  quantities 
to  make  the  message  look  legitimate,  re-encrypting  the  message,  and  tunneling  it  to  the  destination 
point.  To  prevent  this  type  of  attack,  additional  verifiable  information  needs  to  be  available,  such 
as  verifiable  geographical  positions  for  each  node  or  protection  against  impersonation  attacks  [124]. 
In  this  paper,  we  have  not  assumed  that  such  information  is  available. 

Similarly,  other  schemes  that  have  been  proposed  for  preventing  the  wormhole  attack  [88, 90, 
166,169]  cannot  eliminate  wormholes  under  key/node  compromise.  We  now  show  for  each  of  the 
methods  in  [88,90,166,169]  which  step  is  vulnerable  to  wormholes  under  key/node  compromise. 

In  [169],  different  cluster  keys  are  used  to  encrypt  the  communication  within  different  one- 
hop  neighborhoods.  If  cluster  keys  are  compromised,  an  adversary  can  record  messages  at  one 
neighborhood  A,  decrypt  them  with  the  compromised  cluster  key  of  neighborhood  A,  tunnel  the 
messages  via  the  wormhole  link  to  a  neighborhood  B  that  is  not  within  the  communication  range 
of  neighborhood  A,  re-encrypt  the  messages  with  the  compromised  key  of  neighborhood  B,  and 
replay  the  messages  in  neighborhood  B.  Cluster  keys  can  also  be  compromised  if  the  adversary 
compromises  the  pairwise  keys  that  are  used  by  the  nodes  to  distribute  the  cluster  keys  during 
the  initialization  phase.  For  the  method  in  [169],  compromise  of  two  nodes  that  are  not  within 

11 A  similar  scenario  can  be  considered  if  the  cryptographic  keys  held  by  the  nodes  are  compromised  and  the  attacker 
impersonates  the  two  nodes  without  using  the  actual  nodes  for  the  attack  implementation. 
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communication  range  or  two  pairwise  keys  is  sufficient  to  create  a  wormhole. 

In  [90],  the  authors  use  temporal  packet  leashes  to  prevent  a  message  from  traveling  distances 
longer  than  a  pre-defined  distance.  Each  packet  contains  an  expiration  time  te  whose  integrity  is 
verified  via  the  use  of  a  keyed  message  authentication  code,  such  as  a  key  hash  function  (HMAC). 
When  a  node  receives  a  packet,  first  it  verifies  that  the  HMAC  for  the  expiration  time  is  correct 
(i.e. ,  the  expiration  time  has  not  been  altered  while  the  packet  is  in  transit).  If  the  integrity 
verification  is  correct,  the  receiving  node  verifies  that  the  packet  has  not  traveled  longer  than  the 
distance  indicated  by  te  (the  nodes  in  the  network  are  tightly  synchronized).  If  an  adversary  were  to 
compromise  the  keys  of  a  node,  it  could  alter  the  expiration  time  to  any  desired  value  and  properly 
adjust  the  keyed  message  authentication  code  so  that  the  message  can  travel  any  desired  length. 
Thus,  the  compromise  of  a  single  node  allows  the  creation  of  a  wormhole  of  arbitrary  length. 

In  the  wormhole  visualization  method  [166],  detection  of  a  wormhole  is  based  on  the  reconstruc¬ 
tion  of  the  network  topology  via  multi-dimensional  scaling  (MDS)  and  visualization  of  wormholes  as 
loops  in  the  network  plane.  In  order  to  visualize  the  network  topology,  every  sensor  of  the  network 
has  to  report  the  distance  from  its  one-hop  neighbors  to  a  base  station.  The  distance  report  is 
protected  by  a  group  key  known  to  every  sensor.  If  the  group  key  gets  compromised,  the  adversary 
can  alter  the  distance  reports  from  the  legitimate  sensors  and  manufacture  false  reports,  allowing 
the  creation  of  wormhole  links  undetectable  by  the  visualization  method.  Moreover,  it  would  be 
very  difficult  for  the  visualization  method  to  capture  short  wormholes  in  the  case  where  the  at¬ 
tacker  manipulates  the  distance  reports  of  the  nodes.  In  the  directional  antenna  method  presented 
in  [88],  nodes  rely  upon  reports  from  neighbor  nodes  to  verify  the  validity  of  the  neighbor  discovery 
protocol.  Hence,  compromised  neighbors  can  mislead  nodes  into  accepting  wormhole  links  [88]  as 
valid  ones. 

Though  we  have  shown  that  the  adversary  can  mount  a  wormhole  attack  under  node/key 
compromise,  as  in  the  seminal  paper  in  [90],  we  argue  that  the  strength  of  the  wormhole  attack  lies 
in  the  fact  that  the  adversary  does  not  allocate  computational  resources  to  compromise  nodes /keys 
and  that  it  remains  “invisible”  to  upper  layers  of  the  network  (the  attack  is  implementable  with 
minimal  resources).  Furthermore,  under  the  node/key  compromise  assumption,  relatively  more 
powerful  attacks,  such  as  the  Sybil  attack  [74,  124],  can  be  mounted,  and  there  is  no  need  for 
the  adversary  to  record  and  replay  messages  (it  can  forge  messages  instead  of  recording  them). 
Nevertheless,  the  wormhole  attack  can  still  cause  significant  disruption  to  vital  network  operations, 
such  as  routing,  even  if  the  network  communications  are  not  compromised,  and,  hence,  needs  to  be 
addressed. 


2.8  Summary  of  Contributions 

We  presented  a  graph  theoretic  framework  for  characterizing  the  wormhole  attack  in  wireless  ad 
hoc  networks.  We  showed  that  any  candidate  prevention  mechanism  should  construct  a  commu¬ 
nication  graph  that  is  a  connected  subgraph  of  the  geometric  graph  of  the  network.  We  then 
proposed  a  cryptography-based  solution  to  the  wormhole  attack  that  makes  use  of  local  broadcast 
keys.  We  provided  a  distributed  mechanism  for  establishing  local  broadcast  keys  in  randomly  de¬ 
ployed  networks  and  provided  an  analytical  evaluation  of  the  probability  of  wormhole  detection 
based  on  spatial  statistics  theory.  We  analytically  related  network  parameters  such  as  deployment 
density  and  communication  range  with  the  probability  of  detecting  and  eliminating  wormholes, 
thus  providing  a  design  choice  for  preventing  wormholes  with  any  desired  probability.  Finally,  we 
also  illustrated  the  validity  of  our  results  with  extensive  simulations. 
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Chapter  3 


Resource-Efficient  Group  Key 
Management  for  Secure  Multicast  in 
Ad  Hoc  Networks 


Many  group  applications  already  implemented  in  wired  networks  will  be  extended  to  wireless  ad 
hoc  networks.  As  an  example,  video-on-demand,  teleconferencing,  telemedicine,  are  envisioned  to 
be  realized  in  the  wireless  ad  hoc  environment.  Critical  requirements  for  the  commercial  success  of 
such  group  applications  is  the  provision  of  security  and  resource-efficiency.  Multicast  is  the  most 
suitable  model  for  reducing  the  incurring  network  load  when  traffic  needs  to  be  securely  delivered 
from  a  single  authorized  sender  to  a  large  group  of  valid  receivers.  Provision  of  security  for  multicast 
sessions  can  be  realized  through  encrypting  the  session  traffic  with  cryptographic  keys  [59,162,165]. 
All  multicast  members  must  hold  valid  keys  in  order  to  be  able  to  decrypt  the  received  information. 

While  multicasting  in  group  communications  provides  both  energy  and  bandwidth  efficiency, 
access  control  policies  are  necessary  in  order  to  restrict  access  to  the  contents  of  multicast  transmis¬ 
sions  to  valid  members  of  the  Multicast  Group  (MG).  A  bandwidth  and  computationally  efficient 
solution  to  this  problem  uses  a  single  symmetric  cryptographic  key,  called  the  Session  Encryption 
Key  (SEK),  that  is  shared  by  the  multicast  source  and  all  members  of  the  MG  [59, 162, 165].  Using 
the  SEK,  the  sender  needs  to  perform  only  one  encryption  and  one  transmission  to  send  data  to 
the  MG,  while  the  MG  members  need  only  perform  a  single  decryption  to  receive  the  data. 

In  the  case  where  the  MG  is  dynamic,  the  valid  members  of  MG  need  to  be  updated  with  a 
new  SEK  after  every  membership  change  so  that  new  members  do  not  gain  access  to  past  data 
(backward  secrecy  [59,162,165]),  and  deleted  members  do  not  access  future  transmissions  (forward 
secrecy  [59, 162, 165]).  In  order  to  update  the  SEK,  additional  keys  called  Key  Encryption  Keys 
(KEKs)  are  used  by  the  entity  managing  the  cryptographic  keys,  known  as  the  Group  Controller 
(■ GC ).  Hence,  the  problem  of  controlling  access  to  the  multicast  data  reduces  to  the  problem  of 
managing  and  distributing  the  SEK  and  KEKs  to  the  members  of  MG.  This  problem  is  known  as 
the  Key  Management  Problem  or  Key  Distribution  Problem  (KDP)  [59,162,165]. 

Previous  research  on  the  KDP  in  wired  networks  [59,  162,  165]  mainly  focused  on  designing 
scalable  systems  that  reduce  costs  in  terms  of  key  storage  at  each  member,  and  number  of  messages 
the  GC  has  to  transmit  to  update  keys  after  a  membership  change.  Through  the  use  of  tree-based 
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key  structures,  member  key  storage  and  GC  transmissions  have  been  reduced  to  the  order  of 
0(log  \MG\)  [59,162,165]. 

While  key  storage  and  sender  communication  cost  are  important  performance  metrics  even  in 
wireless  ad-hoc  networks,  total  energy  expended  by  the  network,  and  total  communication  overhead, 
are  critical  parameters  for  the  viability  and  operability  of  many  network  services,  including  the 
secure  multicast  service,  when  the  network  devices  are  resource-limited.  However,  the  energy  and 
total  communication  overhead  were  not  a  major  concern  in  wired  networks.  Thus,  the  solutions 
proposed  for  the  KDP  in  wired  networks  [59,162,165],  are  not  sufficient  for  wireless  ad-hoc  networks. 


3.1  Our  Contributions 

We  make  the  observation  that,  for  the  wireless  ad  hoc  network  environment,  the  energy  expenditure 
and  bandwidth  requirement  for  distributing  messages  from  a  single  source  to  multiple  receivers 
(physical  layer),  depends  upon  the  network  topology  (network  layer).  Hence,  one  can  distribute 
cryptographic  keys  in  a  resource  efficient  way  (application  layer)  by  employing  a  cross-layer  design. 
The  Figure  3.1  shows  the  type  of  cross-layer  interaction  used  in  the  design  of  the  key  management 
scheme. 


(  Application  Layer 

Key  Management  for  Secure  Multicast  ■* 


(  Network  Layer 

-] - ►  Routing  Protocol 


(  Physical  Layer 

1 — ►  Transmission  Power  Assignement  -  Measurements 


Figure  3.1:  Schematic  of  the  type  of  cross-layer  interaction  that  is  used  in  our  energy-efficient  key  management 

sche^g  examine  the  KDP  under  four  metrics,  each  of  which  involves  optimizing  one  of  following 
network  resources:  (a)  member  key  storage,  (b)  GC  transmissions,  (c)  number  of  messages  sent 
by  the  network  to  update  the  SEK  and  related  KEKs,  which  we  refer  to  as  MG  update  messages, 
and  (d)  the  energy  expended  by  the  network  for  delivering  the  update  messages  to  valid  members 
of  MG  after  a  member  deletion,  which  we  refer  to  as  average  update  energy  cost.  We  formulate 
the  relevant  optimization  problem  for  each  metric,  and  provide  the  optimal  solution  when  possible. 
We  show  that  metrics  (a)  and  (b)  do  not  depend  on  the  network  topology  and  unique  solutions  to 
the  KDP  can  be  obtained  that  are  equivalent  to  the  optimal  solutions  provided  for  wired  networks 
[59,162,165].  Metrics  (c)  and  (d),  however,  are  directly  related  to  the  network  topology  and  depend 
on  both  the  network  and  physical  layer. 

We  prove  that  finding  the  key  assignment  structure  that  minimizes  the  MG  update  messages 
is  an  NP-complete  problem.  We  further  prove  that  finding  the  key  assignment  structure  that  mini¬ 
mizes  update  energy  cost  for  rekeying  is  also  an  NP-complete  problem.  In  addition,  we  show  that  no 
solution  can  concurrently  optimize  all  four  metrics  and  hence,  there  exists  a  tradeoff  among  them. 
Hence,  we  focus  on  finding  a  heuristic  that  bounds  member  key  storage  and  GC  transmissions,  and 
at  the  same  time  provides  suboptimal  performance  in  terms  of  MG  update  messages  and  update 
energy  cost. 

Our  proposed  heuristics  rely  on  the  key-tree  structures  used  in  wired  networks  [59,  162, 165] 
however,  they  take  the  network  topology  into  account  to  reduce  the  average  update  energy  cost 
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and  bandwidth  requirements.  We  study  the  properties  of  the  average  update  energy  cost  in  terms 
of  the  network  size,  key  tree  degree  and  medium  path  loss  model,  and  derive  an  upper  bound  of  the 
metric  in  terms  of  these  parameters.  We  optimize  the  degree  of  the  key  tree  to  derive  the  lowest 
upper  bound. 

Observing  that  energy  savings  occur  when  an  identical  message  is  delivered  to  a  set  of  nodes 
reached  by  common  routing  paths,  we  define  and  use  the  idea  of  “power  proximity”  to  group  nodes 
in  the  key  tree.  We  also  make  the  observation  that  when  the  transmission  medium  is  homogeneous 
with  constant  attenuation  factor,  the  “power  proximity”  property  is  a  monotonically  increasing 
mapping  to  physical  proximity.  Hence,  we  replace  “power  proximity”  with  physical  proximity  by 
using  Euclidean  distance.  When  the  medium  is  heterogeneous,  we  note  that  due  to  varying  path 
loss  parameter,  “power  proximity”  is  no  longer  a  monotonic  mapping  to  physical  proximity.  In  this 
case,  we  directly  incorporate  “power  proximity”  by  considering  the  transmission  power  in  grouping 
nodes  in  the  key  tree. 

We  also  present  an  analytical  computation  of  the  average  update  energy  when  routing  infor¬ 
mation  is  available.  We  develop  a  simple  suboptimal,  cross-layer  algorithm  called  RawKey  that 
considers  the  node  transmission  power  (physical  layer  property)  and  the  multicast  routing  topology 
(network  layer  property)  in  order  to  construct  an  energy-efficient  key  management  scheme  (appli¬ 
cation  layer  property).  After  showing  that  the  cross-layer  design  has  to  make  use  of  underlying 
broadcast  routing,  we  analyze  the  impact  of  recently  proposed  multicast  routing  protocols  on  the 
energy  expenditure  due  to  key  updated  communication  overhead.  We  consider  power-efficient  mul¬ 
ticast  routing  algorithms  such  as  the  Broadcast  Incremental  Power  (BIP)  [164],  the  Embedded 
Wireless  Multicast  Advantage  (EWMA)  [58],  the  Minimum  Spanning  Tree  (MST)  [49]  and  the 
Shortest  Path  Routing  (SPR)  [49]. 

Finally  we  propose  a  heuristic  called  VP3,  that  makes  use  of  network  flows  to  build  an  energy 
and  bandwidth  efficient  key  assignment  structure.  We  establish  performance  bounds  for  YP3 
and  through  extensive  simulations,  show  that  VP3  makes  near  optimal  key  assignment  decisions. 
We  present  the  energy  and  bandwidth  efficiency  improvement  achieved  by  VP3  over  RawKey. 
This  improvement  comes  at  the  expense  of  increased  algorithmic  complexity  of  (D(\MG\ 2)  versus 
0(\MG\)  of  RawKey.  Finally,  we  propose  On-line  VP 3,  an  0(\MG\)  complexity  algorithm,  that 
performs  dynamic  maintenance  of  the  key  assignment  structure,  by  inserting  and  deleting  members 
without  having  to  rebuild  the  key  assignment  structure  after  each  membership  change. 


3.2  Network  Assumptions  and  Notation 

Network  deployment 

We  assume  that  the  network  consists  of  N  multicast  members  plus  the  GC,  randomly  distributed 
in  a  specific  area.  We  consider  a  single-sender  multiple-receiver  communication  model.  All  users 
are  capable  of  being  relay  nodes  and  can  collaboratively  relay  information  between  an  origin  and 
destination.  We  also  assume  that  the  network  nodes  have  the  ability  to  generate  and  manage 
cryptographic  keys.  The  nodes  of  the  network  are  assumed  to  be  in  a  fixed  location,  after  their 
initial  placement.  We  assume  that  nodes  have  a  mechanism  to  acquire  their  location  information 
via  a  localization  method  [46, 57, 86, 106, 107, 125, 136]. 
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Table  3.1:  Notation  used  for  the  key  distribution  problem. 


GC 

Group  Controller 

Message  m  is  encrypted  with  key  Ay 

MG 

Multicast  Group 

Sij(T ) 

Set  of  multicast  group  members  that  hold  key  Ay  in  T 

N 

Multicast  group  size 

PMi 

Total  power  required  to  unicast  a  message  from  GC  to  Mt 

Mi 

ith  member  of  MG 

EMi 

Total  energy  required  to  unicast  a  message  from  GC  to  M* 

T 

Key  distribution  tree 

Em^Mj 

Energy  expenditure  of  Mj  when  transmitting  a  message  to  Mj 

h 

Height  of  T 

Es 

Energy  cost  the  GC  and  M G,  when  multicasting  to  group  S 

d 

Degree  of  T 

l 

Level  of  a  node  in  T 

A  — >•  B  :  m 

A  sends  message  m  to  B 

Ei,j 

Key  assigned  to  the  jth  node  at  level  l  in  T 

R 

The  multicast  routing  tree  with  set  of  nodes  MG 

Network  initialization 

We  assume  that  the  network  has  been  successfully  initialized  and  initial  cryptographic  quantities  for 
trust  establishment  (at  least  pairwise  trust)  have  been  distributed  [65,75,115]  We  further  assume 
that  the  underlying  routing  is  optimized  in  order  to  minimize  the  total  power  required  for  broadcast. 
Although  it  is  known  that  finding  the  optimal  solution  for  total  minimum  power  broadcast  is  NP- 
complete  [58],  several  heuristics  with  suboptimal  performance  have  been  proposed  in  the  recent 
literature  [58,164].  Since  our  goal  is  to  design  key  management  algorithms  and  not  protocols,  we 
do  not  address  the  MAC  layer  implementation  of  our  algorithms. 


Wireless  medium  and  signal  transmission 

We  consider  the  cases  of  a  homogeneous  and  heterogeneous  medium  separately,  since  the  com¬ 
plexity  and  inputs  of  the  algorithms  that  we  propose  differ  depending  on  the  type  of  the  medium. 
In  the  case  of  the  homogeneous  medium,  we  assume  that  the  transmission  power  P(dy)  required 
for  establishing  a  communication  link  between  nodes  i  and  j,  is  proportional  to  a  constant  ex¬ 
ponent  (attenuation  factor  7)  of  the  distance  ciy,  i.e.  P(dn,j)  cc  dj  ..  For  simplicity,  we  set  the 
proportionality  constant  to  be  equal  to  one.  An  example  of  a  homogeneous  path  loss  medium  is  an 
obstacle-free,  open  space  terrain  with  Line  of  Sight  (LOS)  transmission.  Note  that  for  fixed  length 
messages,  transmission  power  is  proportional  to  energy  expenditure  and  vice  versa. 

For  a  heterogeneous  medium,  no  single  path  loss  model  may  characterize  the  signal  transmis¬ 
sion  in  the  network  deployment  region.  Even  when  node  locations  are  relatively  static,  path  loss 
attenuation  can  vary  significantly  when  the  network  is  deployed  in  mountains,  dense  foliage,  urban 
region,  or  inside  different  floors  of  a  building.  In  [140],  different  path  loss  models  have  been  pre¬ 
sented  based  on  empirical  data.  Two  most  common  models  with  varying  path  loss  for  calculating 
the  power  attenuation  at  a  distance  d  from  the  transmitter  are:  (a)  Suburban  area  -  A  slowly  vary¬ 
ing  environment  where  the  attenuation  loss  factor  changes  slowly  across  space,  (b)  Office  building  - 
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A  highly  heterogeneous  environment  where  the  attenuation  loss  factor  changes  rapidly  over  space. 
We  will  use  these  models  in  simulations  where  we  illustrate  our  algorithms. 


Antenna  model 

We  assume  that  omnidirectional  antennas  are  used  for  transmission  and  reception  of  the  signal  [164]. 
The  omnidirectionality  of  the  antennas  results  in  a  property  unique  in  the  wireless  environment 
known  as  the  wireless  broadcast  advantage  (WBA)  [164],  However,  in  secure  multicast  the  broadcast 
advantage  can  be  exploited  only  if  more  than  one  receiver  within  the  range  holds  the  decryption 
key.  Hence,  the  use  of  omnidirectional  antenna  does  not  guarantee  WBA  when  the  security  is  an 
added  feature.  Table  3.1  presents  the  notation  used  in  the  rest  of  the  chapter. 


3.3  Basic  Problems  on  Key  Management  for  Group  Communica¬ 
tions  in  Ad  Hoc  Networks 

In  this  section,  we  present  four  suitable  metrics  for  the  KDP  in  wireless  ad-hoc  networks.  For  each 
metric,  we  formulate  an  optimization  problem  and  present  the  optimal  solution.  We  show  that 
the  formulations  for  the  member  key  storage  and  GC  transmission  metrics  reduce  to  equivalent 
formulations  to  wired  networks  and  hence,  the  same  solutions  apply.  On  the  other  hand,  the 
formulations  for  the  MG  transmissions  and  energy  update  cost  are  specific  to  wireless  networks. 


3.3.1  Member  Key  Storage,  k(Mi,Dk ) 

Let  Dk  denote  a  key  assignment  structure  to  the  members  of  MG.  We  want  to  find  the  optimal 
key  assignment  structure  D[  that  minimizes  the  average  number  of  keys  assigned  to  each  member 
M^ 

1  N 

Dk  =  arg  min  —  V]  k(Mt.  Dk).  (3.1) 

Dk  -iV  ' 

2=1 

Note  that  in  (3.1),  the  quantity  minimized  is  the  average  number  of  keys  since  key  assignment 
structures  need  not  assign  the  same  number  of  keys  to  every  member. 

Theorem  3  The  optimal  key  assignment  structure  D [  that  minimizes  member  key  storage  can  be 
represented  as  an  N-ary  key  tree,  where  the  GC  shares  a  unique  KEK  with  each  member,  and  the 
SEK  with  all  members  of  MG  [59, 162, 165]. 

Proof  12  Each  member  needs  to  hold  the  SEK  in  order  to  decrypt  the  multicast  data.  In  addition, 
the  GC  needs  to  be  able  to  securely  update  the  SEK  to  every  member  in  case  of  a  membership 
change.  Hence,  each  member  needs  to  share  at  least  one  pairwise  KEK  with  the  GC,  to  decrypt  the 
SEK  update.  Thus,  the  optimal  member  key  storage  solution  assigns  two  keys  to  each  member  of 
MG,  and  can  be  represented  as  an  N-ary  key  tree. 
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Note  that  the  optimal  solution  for  the  member  key  storage  metric  is  independent  of  the  nature 
of  the  network,  wireless  or  wired.  Hence,  the  solution  for  wireless  networks  is  the  same  as  the  one 
provided  for  wired  networks  in  [59, 162, 165]. 


3.3.2  GC  Transmissions,  tx(Mi}  Dtx) 

Let  tx(Mt,  Dfx)  denote  the  number  of  messages  transmitted  by  the  GC  when  Mj  leaves  MG,  and 
keys  are  assigned  according  to  the  key  assignment  structure  Dtx  .  We  want  to  find  the  optimal  D*x 
that  minimizes  the  average  number  of  key  messages  transmitted  by  the  GC,  to  the  members  of 
MG,  after  Mi  leaves  the  group. 


D 


* 

tx 


.  1 
are;  mm  — 
Dtx  N 


N 

J2UMuDtx) 

i=  1 


(3.2) 


Note  that  we  minimize  the  average  number  of  GC  transmissions  required  to  rekey  MG,  to  take 
into  account  unbalanced  key  assignment  structures  as  well. 


Theorem  4  The  optimal  key  assignment  structure  D]x  for  member  deletions,  can  be  obtained  by 
distributing  one  KEK  to  every  possible  subset  of  MG  [59, 162, 165]. 

Proof  13  If  each  possible  subset  of  M G  shares  a  unique  KEK,  an  arbitrary  set  of  members  can  be 
represented  by  the  index  of  the  corresponding  KEK.  Hence,  after  the  deletion  of  any  set  of  members, 
the  GC  can  notify  all  remaining  valid  members  of  MG  to  use  their  unique  common  KEK  as  the  new 
SEK,  by  just  broadcasting  the  index  of  the  KEK  corresponding  to  the  remaining  members.  Hence, 
by  assigning  a  unique  key  to  every  possible  subset  of  members,  the  GC  can  update  the  SEK  after 
the  deletion  of  any  set  of  members,  by  transmitting  a  single  message. 

As  in  the  case  of  member  key  storage,  the  number  of  GC  transmissions  depends  on  Dtx  and  not 
on  the  network  topology.  Hence,  the  optimal  solution  for  wireless  networks  is  identical  to  the  one 
for  wired  networks  [59, 162, 165]. 


3.3.3  MG  Key  Update  Messages,  mMi(Dm ) 


Let  mMi(E>m)  denote  the  number  of  messages  transmitted/relayed  by  the  nodes  of  the  network 
in  order  to  update  the  SEK  and  KEKs  after  deletion  of  M*.  We  want  to  find  the  optimal  key 
assignment  structure  D ^  that  minimizes  the  average  number  of  messages  mAve  transmitted/relayed 
by  all  network  nodes  for  updating  the  SEK  and  KEKs,  when  a  member  leaves  the  group. 


D 


* 

m 


i 

arg  min  — 
Dm  N 


N 

i= 1 


(3.3) 


In  contrast  to  the  previous  two  metrics,  mMt  depends  both  on  the  network  topology  as  well  as 
the  choice  of  Dm.  The  number  of  messages  the  nodes  of  the  network  have  to  transmit/relay  after 
the  deletion  of  a  member,  varies  depending  on  the  specific  member  being  deleted.  Thus,  we  use 
the  average  number  of  MG  update  messages  mAve-,  to  evaluate  the  efficiency  of  a  key  assignment 
structure  Dm. 
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Theorem  5  Finding  the  optimal  key  assignment  structure  D*m,  that  minimizes  the  average  number 
of  MG  update  messages  mAve ,  is  an  NP-complete  problem. 

Proof  14  Under  Theorem  2,  the  GC  can  update  the  SEK  after  the  deletion  of  any  set  of  mem¬ 
bers  from  MG,  by  transmitting  a  single  message  to  the  remaining  valid  members  of  MG,  when 
using  the  optimal  structure  Dft .  Hence,  the  problem  of  minimizing  the  number  of  messages  trans¬ 
mitted/relayed  by  the  network  nodes  reduces  to  the  problem  of  minimizing  the  number  of  messages 
transmitted/relayed  by  the  nodes  of  the  network  to  deliver  one  message  from  the  GC  to  every  mem¬ 
ber  of  MG.  In  turn,  the  latter  problem  can  be  mapped  to  the  problem  of  finding  the  minimum  power 
broadcast  routing  tree  Rm  rooted  at  the  GC,  in  which  each  node  of  the  network  can  either  broadcast 
a  message  with  unit  power  p  =  1,  or  not  transmit  at  all  (p  =  0).  This  routing  problem  is  known  as 
the  Single  Power  Minimum  Broadcast  Cover  problem  (SPMBC)  [58],  with  input  parameter  p  =  1 
and  has  been  proven  NP-complete  in  [58].  Hence,  the  problem  of  minimizing  the  average  number 
mAve  of  MG  update  messages  is  also  NP-complete. 

3.3.4  Average  Energy  Update  Cost,  EMi(DE) 

Let  Em,  {Dr)  denote  the  total  energy  expended  by  all  network  nodes,  in  order  to  deliver  the  rekey 
messages  to  MG  after  a  member  deletion.  We  want  to  find  the  optimal  key  assignment  structure 
D*e,  that  minimizes  the  average  update  energy  Eaw. ■ 

1  N 

D*e  =  arg  min  —  ^  EM,  (DE)  (3.4) 

2=1 

The  total  energy  expenditure  depends  on  the  network  topology  and  the  choice  of  DE.  Thus,  as 
was  the  case  for  mM p  Em,  varies  depending  on  which  member  is  deleted  from  MG.  Therefore,  we 
choose  the  average  update  energy  cost  Eavc ,  to  evaluate  the  performance  of  DE  over  MG. 

Theorem  6  Finding  the  optimal  key  assignment  structure  D*E,  that  minimizes  the  average  update 
energy  Eavc  is  an  NP-complete  problem. 

Proof  15  Under  Theorem  2,  the  GC  can  update  the  SEK  after  the  deletion  of  any  set  of  members 
from  MG,  by  transmitting  a  single  message  to  the  remaining  valid  members  of  MG,  when  using 
the  optimal  structure  D*  .  Hence,  the  problem  of  minimizing  the  total  energy  expenditure  required 
to  update  the  SEK  after  the  deletion  of  any  set  of  members  reduces  to  the  problem  of  distributing 
one  message  to  all  valid  members  of  MG,  expending  the  least  amount  of  energy.  The  latter  problem 
is  equivalent  to  finding  a  broadcast  routing  tree  RE,  rooted  at  the  GC ,  that  minimizes  the  energy 
required  to  deliver  one  message  from  the  GC  to  every  valid  member  of  MG.  This  problem  is  known 
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Deletion  of  member  M\ 


SEK 

\ 


Mi  M2  A/3  A/4  A/5  A/g  A/7  A/g 
Members 
(a) 


(1)  GC  ->  M2  : 

{K1.i}k3 

(2)  GC^{M3,M4}  : 

{Kl.l  }k2 

(3)  GC  ->  {M2  -  M4}  : 

{KUi, 

(4)  GC  {M5  -  Ms}  : 

{Ao}a'i.2 

(b) 

Figure  3.2:  (a)  A  binary  logical  hierarchical  key  tree.  Members  are  placed  at  the  leaf  nodes.  Each  member  holds 
the  keys  traced  along  the  path  from  the  leaf  to  the  root  of  the  tree.  If  Mi  leaves  MG  all  keys  known  to  it  ( Kq ,  K1.1) 
are  updated,  (b)  Update  messages  in  the  order  in  which  they  are  sent  by  the  GC  after  Mi  leaves  the  multicast  group. 
as  the  Minimum  Broadcast  Cover  problem  (MBC)  [58,  66],  a  generalized  version  of  the  SPMBC 

problem,  for  cases  in  which  the  transmission  power  level  for  a  node  can  adopt  any  value  p  € 
[0.  Pmax\  ■  The  MBC  problem  has  been  proved  to  be  NP-complete  in  [58,  66]  and,  hence,  the  problem 
of  minimizing  the  average  update  energy  EAve  is  also  NP-complete. 

Our  notation  stresses  the  fact  that  the  optimal  solution  for  one  of  the  four  problems  does  not 
imply  optimality  for  the  other  three.  For  instance,  the  optimal  solution  to  the  member  key  storage 
problem,  requires  the  GC  to  unicast  the  SEK  to  each  member  of  MG  every  time  a  member  joins 
or  leaves  MG.  Hence,  demanding  O(N)  number  of  GC  transmissions.  On  the  other  hand,  the 
optimal  solution  to  the  GC  key  transmission  problem  for  leave  operations  requires  each  user  to 
store  at  least  2lJV_1l  keys,  thus  making  user  storage  requirements  grow  exponentially  with  group 
size  [59, 162, 165].  Hence,  we  must  make  some  tradeoffs  in  order  to  build  a  scalable  solution  in  all 
four  metrics,  and  energy  and  bandwidth  efficient. 

A  key  assignment  structure  that  is  scalable  in  both  member  key  storage  and  GC  transmissions 
was  independently  proposed  in  [165]  and  in  [162].  In  both  proposals  it  was  shown  that  using  a  Logical 
Key  Hierarchy  (LKH)  such  as  d-ary  key  trees  reduces  member  key  storage  and  GC  transmissions 
to  0(logdN).  While  key  trees  are  minimal  structures  in  terms  of  member  key  storage  and  GC 
transmissions,  not  all  key  trees  are  energy-efficient.  However,  we  show  that  key  tree  structures 
designed  by  incorporating  the  metrics  of  mAve  and  Eavc  lead  to  energy  and  bandwidth-efficient 
solutions  to  the  KDP.  Before  we  present  the  problem  formulation  for  key  trees,  we  introduce  the 
LKH  structure. 


3.4  Logical  Key  Hierarchies  and  Key  Distribution  Trees 

To  explain  the  logical  key  hierarchy  LKH)  structure,  we  first  provide  some  necessary  definitions: 

Definition  3  - Node  Depth,  r{i)-The  depth  r(i)  of  node  i  is  the  length,  measured  in  edges,  of  the 
path  traced  from  the  node  to  the  root  of  the  tree. 
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Messages  sent  from  GC 

Number 

{K'a-i.i) -Kc.i,  i  =  2... a 

Ql—1 

1 

{-^a  — 2.1} Ka  —  l.i  5  *  =  2  ...  a 

a  —  1 

WUh 

1 

{K'o}k! .4,  i  =  2...a 

a  —  1 

Total  #  of  messages 

a  loga  N-  1 

(a)  (b) 

Figure  3.3:  (a)  An  ct-ary  hierarchical  tree  of  height  h  =  log^  N.  After  the  deletion  of  member  Mi,  the  loga  N  keys 
traced  from  Mi  to  the  root  (except  for  the  pairwise  key  shared  between  Mi  and  the  GC)  of  tree  need  to  be  updated, 
(b)  the  update  messages  sent  from  the  GC  to  sub-groups  to  update  the  KEKs  and  SEK  due  to  the  deletion  of  Mi. 


Definition  4  - Node  Weight,  w(i)-The  node  weight  w(i)  of  node  i,  is  equal  to  the  number  of  edges 
leaving  i. 


Definition  5  -Leaf  Ancestor  Weight,  wa(i)-The  leaf  ancestor  weight  wa{i )  of  node  i  is  the  sum  of 
the  weights  of  all  nodes  traced  on  the  path  from  i  to  the  root  of  the  tree. 

Figure  3.2  shows  a  binary  key  distribution  tree  for  a  network  of  N  =  8  nodes,  plus  the  GC. 
Each  node  of  the  tree  is  assigned  a  KEK,  Kij,  where  l  denotes  the  tree  level,  and  j  denotes  the 
node  index,  (i.e.  is  assigned  to  node  2  at  level  1  of  the  tree).  The  root  node  is  at  level  0,  and 
Kq  can  also  be  used  as  the  SEK. 

In  [162, 165],  each  user  is  randomly  assigned  to  a  tree  leaf,  and  holds  the  keys  traced  on  the 
path  from  the  leaf  to  the  root  of  the  tree.  (i.e.  user  M5  in  Figure  3.2  is  assigned  the  set  of  keys 
{1^3,5,  ^2,3,  ^1,2,  Kq}).  We  denote  the  subset  of  users  that  receive  key  Kij,  as  Sij.  For  example, 
S'lp  =  {Mi,  M2,  M3,  M4}.  Under  this  regime,  the  number  of  KEKs  stored  by  each  member  is  equal 
to  the  depth  of  its  leaf.  Thus,  worst-case  storage  requirements  for  any  node  will  be  f logrf  N~\  KEKs, 
and  the  SEK. 

Figure  3.2(a)  shows  what  keys  will  have  to  be  updated  if  user  Mi  leaves  MG.  In  this  case, 
the  GC  will  have  to  transmit  the  sequence  of  messages  shown  in  3.2(b).  Each  message  in  3.2(b) 
is  represented  in  Figure  3.2(a)  by  a  dashed  arrow.  The  arrows  leaving  K\  \  represent  the  first  two 
messages  in  figure  3.2(b),  while  the  arrows  leaving  K$  represent  the  last  two  messages  in  figure 
3.2(b).  It  has  been  shown  that  GC  transmissions  due  to  member  deletions  increase  as  a  function  of 
alogQ  N  [83, 121, 149].  The  cost  of  join  operations  on  the  other  hand,  is  proportional  to  the  depth 
of  the  leaf  the  new  user  is  assigned,  a  function  of  loga  N  [83, 121, 149]. 

In  figure  3.3(a),  we  show  the  general  case  of  an  a-ary  hierarchical  tree  of  height  h  =  logQ  N.  We 
can  verify  that  the  communication  for  deleting  a  member  from  the  multicast  group  is  a  loga  N  —  1 
messages  [59].  If  Mi  is  deleted,  the  GC  needs  to  update  all  the  keys  traced  at  the  path  from  Mi  to 
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the  root  of  the  tree,  except  for  the  pairwise  key  shared  between  M\  and  the  GC  (a  total  of  loga  N 
keys).  In  figure  3.3(b),  we  show  the  encrypted  messages  sent  by  the  GC  to  update  all  keys  (except 
for  the  pairwise  key)  known  to  member  M\.  The  GC  needs  to  send  (a  —  1)  messages  to  update 
Ka_ i.i  (  (a  —  1)  members  hold  Ka- m  after  the  deletion  of  Mi),  and  a  messages  to  update  each  of 
the  rest  logQ  N  —  1  keys.  Hence,  the  number  of  keys  sent  by  the  GC  for  deleting  Mi  or  any  other 
member  is  equal  to  otloga  N  —  1.  In  [59],  the  authors  propose  the  use  of  key  trees  in  conjunction 
with  pseudo-random  functions  to  reduce  the  communication  cost  to  (a  —  1)  logQ  N  messages  per 
member  deletion. 


3.5  The  Average  Update  Energy  Cost 

In  this  section,  we  examine  the  dependency  of  the  average  update  energy  cost  when  the  key  assign¬ 
ment  structure  is  a  tree  of  degree  a  with  N  leaves  (a  multicast  group  size  of  N  members)  on  a,  N, 
and  derive  an  upper  bound  for  EAve- 


3.5.1  Dependency  of  E^ve  on  the  group  size  N ,  the  tree  degree  a ,  and  the 
network  topology 

Let  EMi  denote  the  energy  expenditure  for  updating  the  compromised  keys  after  the  deletion  of  the 
ith  member.  Also,  let  p(Mj)  denote  the  probability  for  member  M,;  to  leave  the  multicast  group. 
We  define  the  average  key  update  energy,  Eavc  required  for  key  update  after  a  member  deletion 
as: 

N 

EAve  =  y ^p(Mj)EMi-  (3.5) 

i— 1 

EAve  depends  on  the  energy  EMi  required  to  deliver  key  updates  if  each  member  M%  were  to  be 
deleted  from  the  multicast  group  MG.  Regardless  of  which  member  is  deleted,  the  GC  needs  to 
transmit  (aloga  N  —  1)  key  update  messages  [165].  These  messages  are  routed  to  different  sub¬ 
groups  SGi  C  MG,  where  i  =  1 . . .  (alogQ  N  —  1) .  Letting  E^  denote  the  energy  expenditure  for 
sending  an  identical  message  to  every  member  of  the  sub-group  X  C  MG  via  the  routing  tree  R, 
the  energy  expenditure  EMi  f°r  updating  keys  after  the  deletion  of  member  Mj  £  M G  is: 

alogaN~l 

^Mi  =  ^2  ESGi-  (3-6) 

i= 1 

The  EMi  depends  on  the  routing  tree  R  and  cannot  be  analytically  expressed  unless  a  specific 
realization  of  R  is  provided.  Hence,  we  derive  an  upper  bound  on  EMi,  making  use  of  a  sequence 
of  properties  of  the  WBA.  To  do  so,  we  first  prove  the  following  theorem: 

Theorem  7  The  energy  required  to  deliver  a  message  to  a  sub-group  of  members  SGi  CMG  via 
a  routing  tree  R,  cannot  be  greater  than  the  energy  required  to  deliver  a  message  to  all  members  of 
MG,  via  the  same  routing  tree  R. 


EsGi  —  emg >  ^  SGi  Q  MG. 


(3.7) 
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Multicast 
Group  MG 


Figure  3.4:  (a)  Theorem  1:  When  a  message  is  sent  to  all  members  of  MG,  all  relay  nodes  TR  =  {n,r2, . . . 
have  to  transmit.  When  a  message  is  sent  to  any  sub-group  SGi  C  MG,  a  subset  TR4C.TR  of  relay  nodes  need 
to  transmit,  (b)  Theorem  2:  A  single  transmission  of  power  (dGC,MfTmax  reaches  all  members  of  MG  with  one 
hop,  resulting  in  routing  tree  R,  (c)  The  optimal  multicast  routing  tree  R *  always  requires  less  power  than  R,  by 
definition. 

Proof  16  Let  TR  =  {n,  r-z, . . . ,  r\TR\}  denote  the  set  of  all  relay  nodes  in  the  multicast  routing 
tree  R  utilized  by  the  multicast  group  MG.  In  order  to  deliver  a  single  message  to  every  member  of 
the  multicast  group  MG,  every  node  in  TR  has  to  transmit.  Hence, 

emg  =  22  ETi  j  (3.8) 

n&TR 

where  Eri  denotes  the  energy  required  for  transmission  of  one  message  by  relay  node  ri .  In  order  to 
deliver  a  message  to  a  sub-group  SGi  Q  MG,  a  subset  TRi  C  TR  of  the  relay  nodes  has  to  transmit 
(no  more  than  the  total  number  of  relay  nodes  can  transmit).  Hence,  \TRi\  <  \TR\,  \/SGi  C  MG. 
The  energy  to  deliver  a  message  to  a  sub-group  SGi  is: 

E§Gi  =  J2En^I2Eri=EMG,  V  SGi  C  MG  (3.9) 

TRi  TR 

In  figure  3.4(a)  we  illustrate  Theorem  1.  To  deliver  a  message  to  all  members  of  MG,  all  relay 
nodes  need  to  transmit.  However,  in  order  to  deliver  a  message  to  a  sub-group  SGi  110  more  than 
the  whole  set  TR  of  relay  nodes  may  transmit.  Hence,  the  energy  required  to  deliver  a  message  to 
any  sub-group  of  MG,  is  no  greater  than  the  energy  required  to  deliver  a  message  to  all  members 
of  MG. 

Using  Theorem  7,  we  can  bound  the  energy  expenditure  for  updating  keys  after  the  deletion  of 
Mi  expressed  in  (3.6)  as: 

a  l°ga  N—l 

EMi  =  22  ESGi  <  emg  (a  log«  N-l).  (3.10) 

i= 1 
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The  bound  in  (3.10)  holds  for  an  arbitrary  routing  tree  R.  Hence,  when  we  use  the  minimum  total 
power  routing  tree  R*,  and  bound  the  average  key  update  energy  EaVb  as: 


N 


N 


EAve  =  Y  P(Mi')EM,  <  YjP  (Mi)  EMG  («  logQ  N  -  1) 


1=1 


i=  1 


N 


< 


EMG  («  loSa  N  -  1)  Y  P  (Mi) 


i= 1 


<  E§g  (a  logQ  N  -1). 


(3.11) 


The  bound  in  (3.11)  has  two  different  components.  The  first  component  is  the  minimum  energy 
Ej£G,  required  for  sending  a  message  to  the  whole  multicast  group  MG.  While  E^G  depends  on 
the  wireless  medium  characteristics  and  the  network  topology,  we  can  relax  the  network  topology 
dependency  by  bounding  E^G  using  only  the  wireless  medium  characteristics  and  the  size  of  the 
deployment  region. 

Let  7 max  denote  the  maximum  value  of  the  attenuation  factor  for  the  heterogeneous  medium 
where  the  network  is  deployed,  and  Tfrans  denote  the  duration  of  the  transmission  of  one  message. 
Let  Mf  denote  the  farthest  member  from  the  GC ,  and  let  dGG,Mf >  the  distance  between  GC  and 
Mf,  denote  the  radius  of  the  deployment  region1.  Then,  the  following  theorem  holds: 


Theorem  8  The  energy  required  to  deliver  a  single  message  to  every  member  of  the  midticast  group 
M G  via  the  minimum  total  power  routing  tree  R*  is  no  greater  than  the  energy  required  to  deliver  a 
single  message  from  the  GC  to  M f  via  a  one  hop  transmission  and  assuming  an  attenuation  factor 
of  7 max  between  the  GC  and  Mf. 

EMG  <  EMf  =  {dGC,MfymaX  Ttrans-  (3.12) 


Proof  17  Let  7 j  denote  the  attenuation  factor  in  the  link  between  the  GC  and  member  Mi,  with 
7 i  <  'jrnax  VMj  €  MG.  The  transmission  power  required  for  communication  via  a  one  hop  link 
between  M.t  and  GC  is,  P(dGc,Mi)  =  (^GC,Mi)7i,  Since  dGc,Mi  <  dGG,Mf,  li  <  7 max,  VM*  G  MG, 
it  follows  that: 

P(dGCMi )  =  {dccM.V  <  (dGG,MfymaP  VMi  g  MG.  (3.13) 

Hence,  by  letting  the  GC  transmit  with  power  {dGG,Mf)'yrnax ,  wo  reach  every  member  Mt  G  MG. 
This  is  equivalent  to  constructing  a  multicast  routing  tree  R  where  every  member  is  connected  to 
the  GC  with  one  hop.  The  power  required  to  deliver  a  message  to  all  members  of  MG  according  to 
R,  cannot  be  less  than  the  minimum  total  power  obtained  by  R* .  Hence,  the  energy  expenditure  to 

lrThe  diameter  or  the  size  of  the  deployment  region  may  also  be  defined  as  the  maximum  physical  distance  between 
any  two  nodes  of  the  network.  However,  such  a  definition  leads  to  a  looser  upper  bound  and  is  not  considered. 
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deliver  a  message  to  all  Mt  £  M G,  via  R*  cannot  be  greater  than  the  energy  expenditure  to  deliver 
the  same  message  to  all  Mi  £  MG  via  R, 

EmG  <  Kg  <  ( dGCMf)1^  Ttrans-  (3.14) 

In  figure  3.4(b),  the  GC  transmits  with  power  (dGC,Mf)'yrnax ,  thus  being  able  to  reach  every 
member  with  one  hop.  In  figure  3.4(c)  we  show  a  generic  optimal  multicast  routing  tree  R*  for  the 
same  network  as  in  figure  3.4(b).  Since  R*  is  optimal  it  holds  that  E^g  <  Timns. 

The  second  component  of  the  bound  in  (3.11),  is  the  number  of  update  messages  sent  by  the  GC  for 
deleting  a  member  from  the  multicast  group.  While  the  number  of  messages  grows  logarithmically 
with  the  group  size  N ,  and  N  is  not  a  design  parameter,  we  can  calculate  the  tree  degree  a*  that 
minimizes  the  number  of  update  messages. 

—  (a  log  N  —  1)  =  0  =4>  a*  =  e.  (3.15) 

da 

The  degree  of  the  tree  has  to  be  an  integer  number  and  hence,  the  lowest  upper  bound  for  Eavc  is 
achieved  when  a  =  3.  The  lowest  upper  bound  for  the  average  key  update  energy,  independent  of 
the  network  topology  and  probability  distribution  of  member  deletions  is: 

EAve  <  (a*  logQ*  N)  (, dGC,MfymaX  Ttrans  =  (3  log3  N)  {dcCMfY^  Ttrans •  (3.16) 

We  now  examine  how  we  can  reduce  EAve  by  exploiting  the  “power  proximity”  property. 

3.6  Impact  of  Power  Proximity  on  the  Energy  Efficiency  of  Key 
Management 

EAve  is  directly  related  to  the  individual  energies  Em^  for  updating  keys  after  each  member  leaves 
the  multicast  group.  In  (3.6),  we  expressed  Em,  ,  as  the  sum  of  the  energies  EgG.,  required  to 
deliver  key  updates  to  sub-groups  SGi,  via  the  routing  tree  R.  The  routing  tree  R  is  optimized  for 
distributing  the  multicast  application  data  to  group  members  and  hence,  is  not  a  design  parameter. 
The  sub-groups  SGi  are  determined  by  how  we  place  the  members  to  the  leafs  of  the  key  distribution 
tree,  i.e.  the  way  that  we  choose  to  assign  common  KEKs  to  members.  To  reduce  E$q.,  we  need 
to  group  members  in  the  key  tree  in  such  a  way  that  less  energy  is  required  to  deliver  to  them  key 
updates  via  R.  To  do  so,  we  introduce  the  property  of  “power  proximity.”  “Power  proximity”  is 
similar  to  the  physical  proximity,  with  transmission  power  used  as  a  metric  instead  of  Euclidean 
distance.  A  formal  definition  is  given  below. 

Definition  6  -‘Rower  proximity” -  Given  nodes  ( i,j,k )  we  say  that  the  node  i  is  in  “power  prox¬ 
imity1’  to  node  j  compared  to  node  k,  if  P(dij)  <  P{djj.),  where  P{da denotes  the  transmission 
power  required  for  establishing  communication 2  between  nodes  a ,  b. 

2Note  that  although  we  do  not  directly  consider  the  routing  tree  as  a  design  parameter,  the  idea  of  “power 
proximity”  is  inherent  in  energy-aware  routing  [164].  By  letting  the  weights  of  each  link  to  indicate  the  amount  of 
power  required  to  maintain  the  link  connectivity,  we  can  construct  a  minimum  spanning  routing  (MST)  tree  based 
on  “power  proximity.”  In  fact,  the  MST  of  this  type  uses  the  criterion  of  the  definition  of  “power  proximity.” 
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Given  the  definition  of  “power  proximity,”  we  show  how  we  can  incorporate  it  in  the  key  tree 
design  in  both  the  cases  of  a  homogeneous  and  heterogeneous  medium. 


3.6.1  Network  deployed  in  a  homogeneous  medium 


In  a  homogeneous  medium,  the  transmission  power  for  communication  between  nodes  i ,  j  is  a 
monotonically  increasing  function  of  the  distance  dij.  Under  the  assumption  that  routing  is  de¬ 
signed  to  reduce  the  total  transmission  power,  nodes  in  physical  proximity  have  overlapping  routing 
paths  [164],  Intuitively,  nodes  that  are  physically  close  will  also  have  common  links  in  the  path 
traced  from  the  GC  towards  them.  Hence,  if  nodes  located  physically  close  also  share  common 
keys,  they  receive  the  same  key  updates  from  the  GC  and  the  energy  and  bandwidth  overhead 
associated  with  the  key  distribution  is  reduced. 

To  illustrate  the  need  for  designing  a  physical  proximity  based  key  distribution,  we  consider 
the  ad  hoc  network  in  figure  3.5(a),  which  is  deployed  in  a  homogeneous  medium.  Note  that 
ECc,m2  >  Eqc.Mi  since  dec, M2  >  dec, Mi-  The  routing  tree  shown  in  figure  3.5(a)  is  optimal  in 
total  transmit  power.  In  the  key  tree  of  figure  3.5(c),  denoted  as  Tree  A,  we  randomly  place  the 
four  members  of  the  multicast  group  in  the  leaves  of  the  key  tree,  independent  of  the  network 
topology  as  in  wired  networks.  The  second  row  of  Table  3.2  shows  the  average  key  update  energy 
for  Tree  A,  denoted  as  E' fve,  and  computed  based  on  (3.5)  by  assuming  that  it  is  equally  likely 
( p(Mi )  =  jj-)  for  each  member  to  leave  the  multicast  group. 

Assume  now  that  the  members  are  grouped  according  to  their  physical  proximity.  Then,  M\ 
is  grouped  with  M4,  and  M2  with  M3,  resulting  in  the  physical  proximity  based  key  tree  of  fig¬ 
ure  3.5(d),  denoted  as  Tree  B.  The  third  row  of  Table  3.2,  shows  the  average  key  update  energy 
for  Tree  B ,  denoted  as  E ®ve,  and  computed  based  on  (3.5)  by  assuming  that  it  is  equally  likely 
( p(Mi )  =  jj)  for  each  member  to  leave  the  multicast  group.  The  energy  saved  by  performing  a 
rekey  operation  with  the  physical  proximity  based  key  Tree  B  over  the  random  key  Tree  A  for  the 
network  of  figure  3.5(a)  is  computed  as: 


JT'A  ttiB 
Ave  ^  Ave 


4  \E{M2,M4}  +  E{M!,M3}  E{Mi,M4}  E{M2,M3} 
2 

-j;  {Egc-+m2  ~  Eqc—^Mi  )  >  0, 


(3.17) 


where  Ea^>b  denotes  the  energy  required  for  transmission  of  a  key  from  node  A  to  node  B.  The 
saved  energy  in  (3.17)  is  positive  since  for  a  homogeneous  medium  (constant  7)  and  dec, M2  > 
doc, Mi  >  is  implied  EGc^m2  >  Egg^m1  ■ 


3.6.2  Network  deployed  in  a  heterogeneous  medium 

We  now  consider  the  case  of  an  ad  hoc  network  deployed  in  a  heterogeneous  medium,  where 
the  attenuation  factor  7  varies  over  space.  Under  heterogeneous  path  loss,  physical  proximity  in 
not  a  monotonic  property  of  “power  proximity.”  Closely  located  nodes  do  not  necessarily  receive 
messages  via  overlapping  routing  paths.  Hence,  node  location  information  alone  is  not  sufficient 
for  constructing  an  energy-efficient  key  tree. 

To  illustrate  the  above  observation,  we  consider  the  ad  hoc  network  shown  in  figure  3.5(b),  in 
which  nodes  have  the  same  locations  as  in  figure  3.5(a).  However,  there  exists  a  physical  obstacle 
between  nodes  Mi  and  M4.  Thus,  the  attenuation  factor  for  signal  transmission  between  Mi  and 
M4  is  significantly  higher  than  the  obstacle- free  network  regions,  and  in  the  optimal  routing  tree 
in  total  transmission  power,  M4  is  connected  to  the  network  through  M3. 
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Figure  3.5:  An  ad  hoc  network  and  the  corresponding  routing  tree  with  the  minimum  total  transmission  power, 
deployed  in  (a)  a  homogeneous  medium,  (b)  a  heterogeneous  medium,  (c)  a  random  key  distribution  tree,  Tree  A,  (d) 
a  key  distribution  tree  based  on  physical  proximity,  Tree  B,  (e)  a  key  distribution  tree  based  on  “power  proximity,” 
Tree  C. 


We  now  show  that  in  an  environment  with  variable  path  loss,  we  are  able  to  construct  an  energy- 
efficient  key  tree  by  correlating  nodes  according  to  their  “power  proximity,”  rather  than  physical 
proximity.  We  may  acquire  such  information  either  by  using  path  loss  information  in  addition 
to  the  node  location  [86,87, 105, 106,  125],  or  by  measuring  the  required  transmission  power  for 
communication  between  pairs  of  nodes.  Members  that  are  closely  located  in  terms  of  power  are 
grouped  together  (placed  adjacently  to  the  key  tree). 

For  the  network  in  figure  3.5(b),  we  construct  the  key  distribution  tree  in  figure  3.5(e)  denoted 
as  Tree  C.  We  place  members  adjacent  to  the  key  tree  according  to  their  “power  proximity.”  M \  is 
grouped  with  M2,  and  M3  with  M4  in  order  to  minimize  the  total  communication  power  variance  of 
clusters  of  two  members.  The  last  row  of  Table  3.2,  shows  the  average  key  update  energy  for  Tree 
C,  denoted  as  E^ve,  and  computed  based  on  (3.5)  by  assuming  that  it  is  equally  likely  =  jj) 

for  each  member  to  leave  the  multicast  group.  The  energy  saved  for  performing  a  rekey  operation 
by  incorporating  location  as  well  as  the  path  loss  information  instead  of  location  alone  is  computed 
as  the  energy  gain  due  to  use  of  Tree  C  over  Tree  B  : 


rpB 
^  Ave 


—  E' 


c 

Ave 


E 


R 


'{Mi,M4}  +  -®{M2,M3} 

(Em2^-m3)  >  0. 


R 


-  E 


R 


-  E 


R 


{Mi, M2}  -C/{M3,M4} 


(3.18) 
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Table  3.2:  Comparison  of  EAve  for  the  key  trees  of  figure  3.5(c),  (d),  (e).  EAve  is  computed  based  on  eq.  (3.5)  for 
p{Mi)  =  \,i  =  1 . .  .4 


Method 

Average  key  update  energy 

Random  tree 

zpA  1  1 

^ Ave  4  ' 

(Ej  E{Mi}  +  2E{M2)Ma}  + 

1 

Physical  proximity 

= k  1 

(Ej  E{Mi}  +  2E{MUM4}  +  2E{M2,M3}] 

I 

“Power  proximity” 

=  J 1 

(Ei  E{Mi}  +  2E{MUM2}  +  2E{M3,M4}] 

1 

Based  on  our  analysis  in  Sections  3.6.1  and  3.6.2  we  make  the  following  conclusions: 

Remark  1:  When  the  medium  is  homogeneous,  we  can  reduce  the  energy  expenditure  for  key 
distribution  by  assigning  common  keys  to  members  within  physical  proximity. 

Remark  2:  When  the  medium  is  heterogeneous  medium,  we  need  to  employ  “power  proximity” 
to  generate  an  energy-efficient  key  tree  hierarchy. 

Based  on  remarks  1  and  2,  we  develop  our  key  distribution  algorithms  for  the  homogeneous  and 
heterogeneous  cases. 


3.7  Physical  Proximity  Based  Key  Distribution  for  a  Homoge¬ 
neous  Medium 

In  this  Section,  we  present  an  algorithm  for  the  homogeneous  medium  that  exploit  physical  proxim¬ 
ity  to  generate  an  energy-efficient  key  distribution  tree.  In  order  to  systematically  construct  a  key 
tree  hierarchy,  we  cluster  nodes  based  on  their  location.  We  translate  the  physical  clustering  of  the 
nodes  into  a  key  tree  hierarchy,  thus  obtaining  an  energy-efficient  key  distribution  tree.  The  task 
of  developing  an  energy-efficient  key  distribution  scheme  is  reduced  to  the  task  of  identifying  (a)  a 
physical  proximity  based  clustering  mechanism,  and  (b)  building  a  cluster  hierarchy  that  utilizes 
the  physical  proximity  based  clustering.  We  discuss  both  tasks  in  the  following  sections. 


3.7.1  Physical  proximity  based  clustering  for  energy-efficient  key  distribution 

For  the  homogeneous  medium,  we  assume  that  only  the  node  location  information  is  available. 
Hence,  any  clustering  technique  needs  to  be  model-free  while  taking  the  location  into  account.  We 
also  note  that  for  the  homogeneous  case,  the  Euclidean  distance  between  the  nodes  is  a  natural 
metric  for  identifying  and  grouping  neighbor  nodes.  Certainly  some  other  distance  metric  such  as 
the  Minkowsky  metric  [157]  can  be  used  as  well,  but  the  monotonicity  of  the  power  to  the  distance 
in  the  case  of  constant  7,  makes  the  Euclidean  distance  a  very  attractive  metric,  since  it  leads  to 
low  complexity  algorithms. 

Problem  formulation 

Let  the  coordinates  of  node  i  be  X{  =  (xilyXi2).  The  squared  Euclidean  distance  between  two 
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nodes  i  and  %'  is  equal  to: 


(3.19) 


If  C  denotes  an  assignment  of  the  nodes  of  the  network  into  a  clusters,  the  dissimilarity  function 
expressing  the  total  inter-cluster  dissimilarity  W ( C )  is: 


W{C)  =  £  £  \\xi-mk\\ 2,  (3.20) 

k=  1  C(i)=k 


where  C(i)  =  k  denotes  the  assignment  of  the  ith  point  to  the  kth  cluster,  and  denotes  the  mean 
(centroid)  of  cluster  k.  Inter-cluster  dissimilarity  refers  to  the  dissimilarity  between  the  nodes  of 
the  same  cluster.  We  want  to  compute  the  optimal  cluster  configuration  C*  that  minimizes  (3.20), 
subject  to  the  constraint  that  the  sizes  of  the  resulting  clusters  are  equal.  This  can  be  expressed 
as: 

a 

C*  =  argmin^^  \\xi  -  mk\ |2  ,  9  \C(i)\  =  \C(j)\,  Vi,j.  (3.21) 

k=  i  C(i)=k 


Note  that  this  formulation  provides  an  optimal  way  to  create  a  sub-clusters  from  one  cluster. 
This  location  based  clustering  has  to  be  iteratively  applied  to  generate  the  desired  cluster  hierarchy. 

Solution  approach 

If  we  relax  the  constraint  |C(i)|  =  \C(j)\.  Vi,  j,  in  (3.21),  and  allow  clusters  of  different  sizes, 
the  solution  to  the  optimization  problem  in  (3.21),  can  be  efficiently  approximated  by  any  mean 
square  based  clustering  algorithm  that  uses  Euclidean  metric.  The  K-means  [157]  algorithm  uses 
squared  Euclidean  distance  as  a  dissimilarity  measure  to  cluster  different  objects,  by  minimizing 
the  total  cluster  variance  (minimum  square  error  approach).  Note  that  K-means  may  result  in  a 
sub-optimal  local  minimum  solution  depending  on  the  initial  selection  of  clusters,  and  hence,  the 
best  solution  out  of  several  random  initial  cluster  assignments  should  be  adopted  [157].  However, 
K-means  is  easily  implemented  and  hence,  is  an  ideal  solution  for  computationally  limited  devices. 
Algorithmic  details  on  solving  (3.21)  without  any  constraint  on  the  cluster  size  are  given  in  [157]. 

In  order  to  satisfy  the  equal  cluster  size  constraint,  posed  in  (3.21),  we  need  a  refinement 
algorithm  (RA)  that  balances  the  cluster  sizes.  According  to  (3.21),  the  RA  should  result  in 
balanced  clusters  with  the  lowest  total  inter-cluster  dissimilarity.  In  the  binary  tree  case,  given 
two  clusters  A,  B  with  |yl|  >  \B\,  the  refinement  algorithm  moves  objects  ■  ■  ■  Ak  £  A,  with 


k  = 


\A-\b\ 

2 


,  from  cluster  A  to  cluster  B,  such  that  the  inter-cluster  dissimilarity  after  the 


refinement  is  minimally  increased.  We  choose  the  objects  i\,  12,  ■ . - ,  ik  €  A  such  that: 


ij  =  argrnin  [d?mfl  -  j  =  1  : 


\a\-\b\ 


(3.22) 


where  tua  and  rriB  are  the  centroids  of  clusters  A,  B.  We  study  the  optimality  of  the  refinement 
algorithm  in  Appendix  3.14.1 


3.7.2  A  suboptimal  energy- efficient  key  distribution  scheme  based  on  physical 
proximity 

We  now  develop  an  algorithm  that  maps  the  physical  proximity  based  clustering  into  a  hierarchical 
key  tree  structure.  We  need  to  construct  a  key  tree  of  fixed  degree  a.  Initially,  the  global  cluster  is 
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divided  into  a  sub-clusters  using  K-means.  Then,  we  employ  the  RA  algorithm  that  balances  the 
cluster  sizes  by  moving  the  most  dissimilar  objects  to  appropriate  clusters.  The  RA  leads  to  the 
construction  of  a  balanced  key  tree  when  A  =  an,n  €  Z  and  allows  us  to  construct  a  structure  as 
close  to  the  balanced  as  possible  when  A  an.  Each  cluster  is  subsequently  divided  into  a  new 
ones,  until  clusters  of  at  most  a  members  are  created  (after  logaN  splits).  Since  our  algorithm 
uses  only  location  information  as  input,  we  call  it  Location- Aware  Key  Distribution  Algorithm 
(LocKeD).  The  figure  3.6  presents  the  pseudo  code  for  LocKeD.  We  now  describe  the  notational 
and  algorithmic  details  of  figure  (3.6). 

Location- Aware  Key  Distribution  Refinement  Algorithm  -  RA 


C  =  {P} 

AssignKey(  C) 
index=l 

while  index  <  [logo,  (A")] 

CJtemp  ={0} 
thres  =  r^-Ei-1 
for  i  =  1  :  \C\ 

R=Kmeans(C(i),  a) 
R=Refine(R ,  thres ) 
AssignKeyfR ) 

CJtemp  =  CJtemp  (J  R 
index++ 
end  for 
C  =  CJtemp 
end  while 


CLow  =  {C(i)  €  C  :  |C(z)|  <  thres} 
c High  =  {C (i)  €  C  :|(7(i)|>  thres} 
repeat  until  Cuigh  =  0 

find  x*  €  A,  A  £  CHigh 

x*  =  argmin  [diss(x,mB)  —  diss(x,mA)\, 

xGA 

V  X  €  A,  V  A  £  Cffighi  v  B  €  Clow 
move  x*  to  cluster  B 

Clow  =  {C(i)  €  C  :  \C{i)\  <  thres} 
CHigh  =  {C{i)  G  C  :  |C(i)|  >  thres} 

end  repeat 


(a)  (b) 

Figure  3.6:  Pseudo  code  for  (a)  the  location-aware  key  distribution  algorithm  (LocKeD)  and  (b)  the  Refinement 
Algorithm  (RA).  Repeated  application  of  Kmeans()  function  followed  by  the  Refinement  Algorithm  Refine()  for 
balancing  the  clustering  sizes,  generates  the  cluster  hierarchy.  Function  AssignKey()  assigns  a  common  key  to  every 
member  of  its  argument. 

Let  V  denote  the  set  containing  all  the  two-dimensional  points  (objects)  corresponding  to  the 
location  of  the  nodes.  Let  C  ={(7(1),  (7(2),, (7(a)}  denote  a  partition  of  V  into  a  subsets 
(clusters),  i.e.  (J j(7(z)  =  V.  Initially,  all  objects  belong  to  the  global  cluster  V.  The  function 
AssignKeyf)  assigns  a  common  key  to  every  subset  (cluster)  of  its  argument  set.  For  example, 
AssignKey(V )  will  assign  the  SEK  to  every  member  of  the  global  cluster  V. 

The  index  variable  counts  the  number  of  steps  required  until  the  termination  of  the  algorithm. 
The  thres  variable  holds  the  number  of  members  each  cluster  ought  to  contain  at  level  l  =  index 
of  the  key  tree  construction.  The  root  of  the  tree  is  at  level  l  =  0.  The  Kmeans(C(i),  a )  function 
divides  the  set  C(i)  into  a  clusters  and  returns  the  cluster  configuration  to  variable  R.  The 
Refine (R, thres)  function  balances  the  clusters  sizes  of  clusters  in  R  according  to  the  thres  variable. 
Then,  AssignKeyf)  is  applied  to  assign  different  keys  to  every  cluster  in  R.  The  process  is  repeated 
until  [loga  A]  steps  have  been  completed. 

Computational  Complexity  of  LocKeD:  In  terms  of  algorithmic  complexity,  the  LocKeD 
algorithm  iteratively  applies  K-means  up  to  A  times  in  the  worst  case  (generation  of  a  binary 
tree).  K-means  has  algorithmic  complexity  of  0(A)  [157].  Hence,  the  complexity  of  the  LocKeD 
is  0(A2). 
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Figure  3.7:  (a)  An  ad  hoc  network  deployed  in  a  homogeneous  medium  and  the  corresponding  routing  paths. 
Iterative  application  of  the  location  based  clustering  and  the  resulting  cluster  hierarchy,  (b)  The  key  distribution 
tree  resulting  from  the  application  of  LocKeD. 


Application  of  LocKeD  on  a  sample  network:  Consider  the  network  in  figure  3.7(a), 
deployed  in  a  homogeneous  medium  with  an  attenuation  factor  7  =  2.  We  will  construct  a 
location-aware  key  distribution  tree  of  degree  a  =  2  with  nodes  {2,  3, . . .  ,  9}  being  the  members 
{M2,  M3, . . . ,  Mg}  of  the  multicast  group,  respectively.  Initially,  all  members  belong  to  the  global 
cluster  V. 

Note  that  the  GC  does  not  participate  in  the  clustering.  The  key  tree  is  constructed  by  executing 
the  following  steps: 

Step  1:  Assign  the  SEK  Kg  to  every  member  of  the  global  cluster  V. 

Step  2  :  Create  two  clusters  by  splitting  the  global  cluster.  The  two  clusters  that  yield  minimal 
total  cluster  dissimilarity  are: 

C\  =  {M2,M3,M4,M6,M8,M9},C2  =  {M5,M7}. 

Since  we  seek  to  construct  a  balanced  key  tree,  apply  the  refinement  algorithm  to  balance 
the  clusters  sizes.  Move  M2  and  Mq  to  cluster  C2.  Assign  two  different  KEKs  to  members  of 
clusters  C\  and  C2.  Members  of  C\  are  assigned  KEK  K44  and  members  of  C2  are  assigned 
KEK  Kx,2. 

Step  3:  Create  clusters  of  two  members,  by  splitting  the  clusters  of  four  members.  The  four 
created  clusters  are: 

C3  =  {M2,Mq},  C4  =  {M3,  M4},  C5  =  {Ms,  Mg},  C6  =  {M5,M7}. 

Again,  different  KEKs  are  assigned  to  members  of  clusters  C3-Cq.  Members  of  C3  are  assigned 
KEK  K2  i,  members  of  C4  are  assigned  KEK  K2  2,  members  of  C5  are  assigned  KEK  K2.3 
and  members  of  Cq  are  assigned  KEK  K2.4-  At  this  point  we  have  completed  the  ["log^IV] 
steps  required  by  LocKeD  and  the  algorithm  terminates. 

The  resulting  hierarchical  key  tree  constructed  using  LocKeD  is  shown  in  figure  3.7(b).  We  now 
study  the  heterogeneous  case. 
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3.8  Power  Proximity-Based  Key  Distribution  for  a  Heterogeneous 


Medium 

3.8.1  Characteristics  of  the  heterogeneous  medium 

When  the  wireless  medium  is  heterogeneous,  the  signal  attenuation  factor  is  not  unique  for  the 
network  deployment  area.  An  office  building  is  a  typical  example  of  an  environment  where  the 
attenuation  factor  varies  even  across  very  short  distances.  The  signal  attenuation  for  nodes  located 
in  different  floors  is  significantly  higher  than  for  nodes  located  in  the  same  floor  [140].  The  hetero¬ 
geneity  of  the  medium  creates  additional  challenges  in  performing  energy-efficient  key  distribution. 
Constraint  1:  As  shown  by  the  example  in  Section  3.6.2,  in  a  heterogeneous  medium,  physical 
proximity  between  two  nodes  does  not  equate  to  less  transmission  power  needed  for  communication 
between  those  nodes.  Hence,  in  a  heterogeneous  medium,  Euclidean  distance  is  not  a  suitable  metric 
to  express  the  dissimilarity  between  the  objects  (nodes)  that  need  to  be  clustered. 

We  showed  in  Section  3.6.2  that  direct  use  of  “power  proximity”  leads  to  energy-efficient  key 
distribution,  when  the  medium  is  heterogeneous.  Hence,  we  propose  the  use  of  transmission  power 
as  the  dissimilarity  measure  for  performing  the  clustering.  We  define  the  dissimilarity  between  two 
nodes  i,j  for  the  heterogeneous  medium  as: 

diss(i,j )  =  P(dij).  (3.23) 

We  note  that  the  K-means  algorithm  used  as  critical  component  of  the  balanced  clustering  algorithm 
in  the  homogeneous  medium  case,  cannot  use  any  arbitrary  dissimilarity  measure  but  Euclidean 
distance,  since  it  utilizes  the  notion  of  mean  vectors.  Hence,  for  heterogeneous  case,  we  cannot  use 
K-means  as  a  component  of  our  “power  proximity”  based  algorithm. 

Constraint  2:  In  a  heterogeneous  environment,  different  network  regions  need  to  be  described 
using  different  path  loss  models  [140].  Depending  upon  node  location  and  the  medium,  a  differ¬ 
ent  function  shall  be  used  to  calculate  the  dissimilarity  between  two  nodes.  Hence,  any  solution 
approach  should  allow  the  simultaneous  use  of  arbitrary  and  multiple  dissimilarity  measures  rep¬ 
resenting  different  network  regions. 

Our  task  of  developing  an  energy-efficient  key  distribution  algorithm  for  the  heterogeneous 
medium  is  reduced  to,  (a)  identifying  a  “power  proximity”  based  algorithm  to  identify  clusters 
with  high  success,  (b)  generating  a  cluster  hierarchy  that  will  be  mapped  into  a  key  tree  hierarchy. 
We  now  present  techniques  suitable  for  “power  proximity”  based  clustering. 


3.8.2  “Power  proximity”  based  clustering  for  energy-efficient  key  distribution 

As  noted  above,  the  K-means  clustering  cannot  be  part  of  the  balanced  clustering  algorithm  to 
be  developed  in  heterogeneous  case.  A  candidate  solution  needs  to  be  able  to  handle  arbitrary 
dissimilarity  metrics.  We  use  two  different  approaches  for  clustering  in  the  heterogeneous  case. 
The  first  approach  employs  a  clustering  technique  known  as  K-medoids  [95],  that  minimizes  the 
total  inter-cluster  dissimilarity.  Hence,  K-medoids  exploits  “power  proximity”  in  the  optimal  way. 
In  order  to  create  a  key  tree  of  fixed  degree,  K-medoids  clusters  have  to  be  balanced  and  the 
algorithm  has  to  be  iteratively  applied  for  every  level  of  the  tree.  Though  optimal  in  cluster 
quality,  the  complexity  of  K-medoids  is  prohibitive  for  large  networks  and  therefore,  we  adopt  a 
sub-optimal  solution  based  on  randomized  sampling. 
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Our  second  approach  is  based  on  Divisible  Hierarchical  Clustering  (DHC)  [95].  DHC  minimizes 
the  average  inter-cluster  dissimilarity  within  each  cluster,  while  directly  generating  a  cluster  hier¬ 
archy.  The  hierarchical  feature  of  DHC,  along  with  the  ability  to  use  any  arbitrary  dissimilarity 
measure,  makes  this  solution  attractive  for  creating  a  key  tree  hierarchy.  In  order  to  produce  a 
balanced  key  tree,  we  need  to  ensure  that  at  each  stage  the  clusters  are  balanced.  We  describe 
both  approaches  in  detail  in  the  following  sections. 


Minimizing  the  total  inter-cluster  dissimilarity 

We  now  describe  the  first  formulation  that  satisfies  the  constraint  1  and  constraint  2  and  exploits 
the  “power  proximity”. 

Problem  formulation 

We  need  a  clustering  technique  that,  (a)  uses  power  P(dij)  as  a  dissimilarity  measure  to  generate 
clusters  and  group  together  the  most  “similar”  nodes,  (b)  generates  clusters  of  equal  size.  While 
using  an  arbitrary  dissimilarity  metric  other  than  the  Euclidean  distance,  it  is  not  feasible  to  define 
the  centroid  of  a  cluster.  Hence,  the  total  cluster  dissimilarity  cannot  be  computed  with  respect  to 
the  centroid,  as  in  (3.21). 

To  overcome  this  limitation,  we  identify  the  most  centrally  located  object  within  a  cluster  as 
a  cluster  representative,  called  medoid.  We  then  compute  the  inter-cluster  dissimilarity  by  adding 
the  dissimilarities  of  each  object  of  a  cluster  with  its  medoid.  In  order  to  construct  a  clusters 
C  =  {Ci,  C2, . . . ,  CQ},  we  select  a  medoids,  M  =  {mi,  m2, . . .  ma},  one  for  each  cluster.  For  each 
choice  of  medoids,  an  object  i,  i  £  M,  is  assigned  to  the  cluster  Cj,  j  =  1 ...  a,  if: 

diss{i ,  rrij)  <  diss(i,  mT),Vr  =  1, . . . ,  a,  (3.24) 

where  mx  denotes  the  medoid  of  the  cluster  Cx.  Using  the  medoids  as  reference  points,  the  total 
inter-cluster  dissimilarity  is  computed  as: 


N 


W(C )  =  J2 
1=1 


min  diss(i,m,j). 

rrij  =  l,..,a 


(3.25) 


We  want  to  find  the  optimal  medoids  M*  =  . . . ,  m*  }  that  minimize  (3.25),  subject  to  the 

constraint  that  the  sizes  of  the  resulting  clusters  are  equal.  Therefore: 


N 

C*  =  arg  min  min  diss(i,m,j),  3  \C {i)\  =  \C (j)\,  (3.26) 

{mr},C m.j= 

1=1 


Solution  approach 

Let  us  first  consider  solving  the  optimization  problem  in  (3.26),  without  the  constraint  |C(i)|  = 

| C(j)\,  Vi,  j.  imposed  on  the  cluster  sizes.  Kaufman  and  Rousseeuw  [95]  proposed  a  solution  that 
minimizes  the  total  inter-cluster  dissimilarity  in  (3.26).  Their  K- medoids  method  called  Partitioning 
Around  Medoids  (PAM)  [95],  repeats  successive  exchanges  between  medoids  and  ordinary  objects 
until  the  medoid  set  resulting  in  the  smallest  cluster  dissimilarity  is  found.  While  PAM  is  optimal,  it 
scales  poorly  with  group  size  and  hence,  Kaufman  and  Rousseeuw  proposed  a  scalable  sub-optimal 
K-medoids  method  called  Clustering  LARge  Applications  (CLARA)  [95],  based  on  randomized 
sampling. 

K-medoids  algorithm  however,  leads  to  clusters  of  unequal  sizes  [95].  Hence,  in  order  to  satisfy 
the  constraint  posed  in  (3.26),  we  need  the  refinement  algorithm  (RA)  of  figure  3.6(b)  to  balance 
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the  cluster  sizes.  The  criterion  by  which  successive  objects  i±,i2,  ■  ■  ■  ,ik  £  A  with  k  =  ^  ' 2' — -J  , 
are  moved  from  cluster  A  to  cluster  B  with  |A|  >  |H|,  is  modified  to  reflect  the  dissimilarity  metric 
used  in  the  heterogeneous  medium.  We  choose  the  objects  i\,  *2, . . . ,  ik  €  A  such  that: 


i 


j 


argmin [P(di%mB)  -  P{d^mA)\, 

ieA 


j  =  1  : 


\A\-\B 


(3.27) 


where  tua  and  ms  refer  to  the  medoids  of  clusters  A  and  B,  respectively.  By  minimally  increasing 
W (C)  at  each  object  re- assignment,  we  achieve  the  optimal  solution  for  the  constrained  optimization 
problem  in  (3.26)  in  the  case  of  binary  trees.  Following  similar  analysis  as  in  the  case  of  the 
homogeneous  medium,  when  more  than  two  clusters  need  to  be  balanced  (degree  of  the  tree  >  2), 
we  can  show  that  while  the  refinement  algorithm  presented  is  only  sub-optimal,  the  complexity 
of  the  optimal  solution  is  prohibitively  high  as  the  number  of  nodes  grows.  Hence,  we  adopt  the 
sub-optimal  solution.  The  algorithmic  details  of  k-medoids  are  presented  in  Appendix  3.14.2. 

We  now  present  the  second  approach  that  is  based  on  minimizing  the  average  dissimilarity 
within  each  cluster. 


Minimizing  the  average  inter-cluster  dissimilarity 

We  now  describe  a  clustering  technique  that  minimizes  the  average  dissimilarity  within  a  cluster, 
instead  of  the  total  cluster  dissimilarity.  The  advantage  of  using  the  average  over  the  total  dissimi¬ 
larity  is  that  we  do  not  comparably  compute  the  dissimilarity  with  respect  to  a  single  cluster  object 
as  in  K-medoids  method.  Furthermore,  we  can  provide  a  solution  inspired  by  divisible  hierarchical 
clustering  (DHC)  that  inherently  provides  a  cluster  hierarchy.  We  first  introduce  the  following 
quantities. 

Cluster  Diameter:  Diameter  diam  of  a  cluster  A  is  defined  as  the  highest  dissimilarity  between 
two  objects  within  the  cluster  given  by: 


diam(A)  :=  rna xP(di  j) 
i,jeA 


(3.28) 


Average  inter-cluster  dissimilarity  of  an  object:  For  an  object  i  in  cluster  A,  the  average  inter¬ 
cluster  dissimilarity,  denoted  by  a(i)  is  defined  as  the  average  of  the  dissimilarities  of  i  with  all 
other  objects  in  A  as: 


«(*) 


1 

MW 


£  %)■ 

jeAj^i 


(3.29) 


Average  intra-cluster  dissimilarity  of  an  object:  For  an  object  i,  ieA,  and  given  a  cluster 
B,ie  B,  the  average  intra-cluster  dissimilarity,  denoted  w(i,B )  is  given  by: 


11  j&B 


(3.30) 


Description  of  the  algorithm:  Initially,  all  objects  are  moved  to  a  global  cluster  A.  The  object 
i*  €  A 

i*  =  arg  max  a(i),  (3.31) 

i&A 

with  the  highest  dissimilarity  is  moved  to  a  new  cluster  B.  Quantities  a(i )  and  w{i,B)  are  then 
recomputed  for  all  i  €  A.  An 
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object  m  €  A  is  moved  from  cluster  A  to  cluster  B,  only  if  m  is  more  similar  to  cluster  B, 

m  =  arg  max  [aim)  —  wim,  B)  1  ,  aim )  —  wim ,  B )  >  0.  (3.32) 

i&A 

The  moving  of  objects  is  repeated  until  no  object  in  A  is  more  similar  to  B,  i.e.  a(i )  <  w(i,  B),  Vi  € 
A.  At  this  stage  clusters  A  and  B  have  been  finalized  as  parent  clusters.  In  the  next  step,  the 
cluster  with  the  biggest  diameter  is  further  split  into  two  new  clusters  using  the  previous  steps. 
Though  this  procedure  generates  a  binary  hierarchical  tree,  we  can  modify  it  to  generate  a  tree  of 
arbitrary  degree  a.  To  construct  one  level  of  a  hierarchical  tree  of  degree  a,  the  following  steps  are 
followed: 

Step  1  :  Perform  (a-1)  successive  splits  of  the  global  cluster,  leading  to  a  total  clusters. 

Step  2  :  Set  a  clusters  as  parents  on  the  first  level  of  the  hierarchy. 

Step  3:  Repeat  steps  1-2  until  every  child  cluster  contains  a  objects. 

In  DHC,  the  two  clusters  created  by  a  split  of  one  cluster  have  minimum  average  inter-cluster 
dissimilarity.  However,  this  minimization  need  not  necessarily  lead  to  clusters  of  equal  sizes.  Hence, 
the  RA  algorithm  needs  to  be  applied  to  balance  the  cluster  sizes. 

After  Step  1,  we  utilize  the  RA  algorithm  developed  in  figure  3.6(b).  According  to  figure  3.6(b), 
an  object  x*  €  A  is  moved  from  a  cluster  A  G  Cmgh  with  more  objects  than  the  threshold  thres , 
to  a  cluster  B  G  Clow  with  less  objects  than  thres,  if: 

x*  =  arg  min  [diss  (x ,  rriA )  —  diss(x,mB)\ ,  V  x  G  A,  V  A  G  C  mgh ,  VBg  Clow ■  (3.33) 

xGA 

However,  no  notion  of  a  mean  point  or  representative  cluster  object  exists  if  average  inter-cluster 
dissimilarity  is  used.  We  therefore  move  the  object  x*  G  A,  from  a  cluster  A  G  Cmgh  with  more 
objects  than  the  threshold  thres,  to  a  cluster  B  G  CjMW  with  less  objects  than  thres,  if: 

x*  =  arg  max  [a(x)  —  w(x,  B )]  ,  V  x  G  A,  V  A  €  Cmgh >  Clow-  (3.34) 

x£A 

The  algorithmic  details  of  DHC  are  given  in  the  Appendix  3.14.2.  We  now  present  the  perfor¬ 
mance  evaluation  of  the  algorithms  we  developed. 


3.9  Routing-aware  Key  Distribution 

The  solutions  developed  so  far  do  not  take  into  account  the  routing  paths  of  the  routing  tree. 
In  this  section  we  develop  a  solution  that  relies  on  the  multicast  routing  tree  R  for  constructing 
an  energy-efficient  key  distribution  tree  T.  By  accumulating  information  from  the  routing  tables 
during  the  route  path  establishment,  the  GC  can  compute  the  energy  Ei{R),  i  =  1..N  required 
to  unicast  a  message  to  each  member  of  the  multicast  group.  Then,  the  GC  can  characterize  a 
node  I  as  inner  compared  to  an  outer  node  O,  if  Ej(R)  <  Eo{R).  As  an  example  in  Figure  3.8(a), 
node  six  is  an  outer  node  compared  to  node  seven,  but  is  an  inner  node  compared  to  node  eight. 
As  the  total  network  transmission  power  increases,  one  expects  more  inner  nodes  to  be  covered  by 
transmissions  to  outer  nodes. 

Assume  that  node  /  is  an  inner  node  compared  to  node  O,  i.e.  Ej  <  Eo  and  that  by  transmitting 
to  O  we  cover  I.  The  energy  expenditure  for  sending  a  message  to  both  I  and  O  is  Eo  if  I  and  O 
share  a  common  key,  and  So  +  Sj  if  I  and  O  do  not  share  a  common  key.  Hence,  by  assigning  a 
common  key  to  /  and  O  we  save  Sj  with  maximum  savings  achieved  when  Si  =  So-  Consider  for 
example  nodes  nine  (inner  node)  and  five  (outer  node)  in  Figure  3.8(a).  By  transmitting  to  node 
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ROUTING  TREE 


(c) 


(d) 


Figure  3.8:  (a)  The  routing  paths  of  a  wireless  ad  hoc  network,  (b)  Key  distribution  tree  built  with  the  Routing- 
Aware  key  distribution  algorithm,  (c)  Best  possible  Key  distribution  tree,  (d)  Worst  possible  key  distribution  tree 
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five  we  cover  node  nine,  due  to  the  broadcast  advantage.  Assume  that  nodes  five  and  nine  need  to 
receive  a  key  only  common  to  them  and  i)  they  already  share  a  common  key,  ii)  they  do  not  share 
a  common  key.  In  the  first  case  the  energy  expenditure  for  sending  a  key  to  both  five  and  nine  is 
Es 5  9}  =  31.45  Energy  Units  (EU),  while  in  the  second  case  the  key  has  to  be  unicasted  to  each 
node  and  the  required  energy  is  Erejy  =  58.02  EU. 

By  assigning  common  keys  to  groups  of  nodes  that  differ  the  least  in  <%,  we  save  the  most  energy 
for  sending  keys  common  only  to  those  groups.  Consider  nodes  nine  and  five  in  Figure  3.8(a),  and 
assume  they  already  share  a  common  key.  We  save  26.57  EU  for  transmitting  a  key  to  both  of 
them,  which  is  the  highest  out  of  any  other  possible  member  pairing.  By  also  assigning  a  common 
key  to  {5,  6, 8,  9}  we  need  only  31.45  EU  to  update  a  key  to  the  subgroup,  saving  19.46  EU  if  only 
pairs  {6, 8}  and  {5,  9}  shared  a  common  key  and  46.03  EU  if  there  was  no  key  overlap. 

If  we  sort  all  members  according  to  Et,  i  =  1..N  in  ascending  order,  we  minimize  the  energy 
expenditure  difference  (£i+ 1  —  £t)  between  consecutive  members  and  maximize  the  energy  savings 
Ei  if  transmission  to  node  O  covers  node  I.  Therefore,  by  assigning  common  keys  to  members 
differing  the  least  in  <%  (placing  them  under  the  same  parent  node  in  the  key  distribution  tree)  we 
achieve  high  energy  savings.  We  propose  the  placement  of  the  multicast  members  to  the  leaves  of 
the  key  distribution  tree  according  to  the  ascending  order  of  energy  expenditure  £).  In  figure  3.9 
we  present  our  Routing- Aware  Key  distribution  scheme  (RAwKey). 

Routing- Aware  Key  Distribution  Scheme  (RAwKey) 

Step  1:  Compute  all  Ei(R )  from  the  GC  to  each  member  of  the  multicast  group. 

Step  2:  Sort  E  =  {£a,£2,  •  ■■,£n}  in  ascending  order. 

Step  3:  Add  members  as  leaf  nodes  to  the  key  distribution  tree  from  left  to  right 
in  the  same  order  as  E. 


Figure  3.9:  The  steps  of  the  Routing- Aware  Key  Distribution  scheme  (RAwKey). 

Though  this  is  not  the  optimal  solution,  its  performance  and  implementation  simplicity  make  it  an 
extremely  attractive  method  for  key  management  in  secure  multicast  communications  for  ad  hoc 
networks. 

3.9.1  Application  of  RAwKey  to  a  sample  network 

We  now  illustrate  the  construct  of  the  key  tree  for  the  nine-node  network  shown  in  Figure  3.8(a). 
The  GC  can  communicate  with  each  member  of  the  multicast  group  by  using  the  routing  paths 
indicated.  Sorting  the  energies  for  reaching  each  member  of  the  multicast  group  gives  E^3y  < 
E{m7}  <  E{m4}  <  E{m2}  <  E{Me}  <  E{Ms}  <  E{Mg}  <  E{M5}.  The  resulting  key  distribution  tree 
is  shown  in  Figure  3.8(b).  The  optimal  key  distribution  tree,  obtained  by  exhaustive  searching,  is 
shown  in  Figure  3.8(c).  We  can  observe  that  the  two  trees  are  almost  identical  with  only  members 
M4  and  M-j  been  interchanged.  The  worst  possible  tree,  also  obtained  through  exhaustive  search 
is  shown  in  Figure  3.8(d).  The  optimal  possible  tree  has  E°y™ (R,T)  =  62.7  EU,  the  tree  created 
with  RAwKey  has  E^y^hey(R,T)  =  63  EU  (0.5%  worse  than  the  optimal  tree)  and  the  worst 
possible  tree  has  E^yr^t(R,T)  =  78.3  EU  (24.9%  worse  than  the  optimal  tree). 
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3.9.2  Complexity  of  RAwKey 

RAwKey  requires  the  computation  of  the  unicast  energies  to  reach  every  member  of  the  multicast 
group  sorted  in  ascending  order.  During  the  building  of  the  multicast  routing  tree  the  GC  can 
acquire  the  order  by  which  nodes  are  added  to  the  tree.  In  the  case  of  SPR  the  order  of  adding 
nodes  to  the  multicast  tree  is  the  same  as  sorting  the  unicast  energies  and  no  further  steps  are 
required. 

When  BIP  or  MST  is  used  as  a  routing  algorithm,  the  order  by  which  nodes  are  added  to  the 
multicast  tree  is  not  the  same  as  the  ascending  order  of  unicast  energies.  However,  the  set  is  almost 
ordered  since  nodes  requiring  less  transmit  power  to  be  reached  are  in  general  added  first  to  the 
routing  tree.  Hence,  an  efficient  sorting  algorithm  for  almost  sorted  data  can  significantly  reduce 
the  sorting  time.  Bubblesort  [49]  is  known  to  have  very  good  performance  for  almost  sorted  data 
with  O(N)  complexity  in  the  best  case  (almost  sorted  sets).  The  EWMA  uses  MST  as  a  base 
algorithm  and  hence,  an  almost  ordered  set  can  also  be  acquired. 


3.10  VP3:  Vertex-Path,  Power-Proximity,  A  Cross-Layer  Approach 

The  VP3  algorithm  borrows  its  name  from  the  network  and  physical  layer  information  it  exploits,  in 
order  to  build  an  energy-efficient  key  distribution  tree;  Vertex-Path,  Power-Proximity  (VP3).  We 
first  introduce  the  main  ideas  of  VP3,  and  then  present  algorithmic  details.  VP3  reduces  E^ve  by 
constructing  key  trees  that  assign  the  same  KEKs  to  members  that  receive  messages  via  common 
routing  paths.  For  instance,  if  a  member  Mj  lies  on  the  path  from  the  GC  to  member  Mj,  and  a 
message  is  sent  to  both  Mj  and  Mj,  the  latter  will  receive  the  message  for  free.  Hence,  by  assigning 
a  common  KEK,  K^j  to  subgroup  ,S)cj  =  (Mj,Mj),  VP3  decreases  the  energy  expenditure  required 
for  updating  the  SEK  and  common  KEKs,  whenever  transmitting  a  message  to  both  nodes. 

To  explore  this  idea,  VP3  discovers  which  members  of  MG  share  the  longest  paths  or,  equiv¬ 
alently,  which  members  have  paths  that  differ  the  least,  a  property  that  is  extracted  from  a  given 
broadcast  routing  tree  R.  The  network  paths  from  the  GC  to  each  node  are  represented  as  binary 
codewords  of  length  equal  to  N .  The  kth  position  of  the  ith  codeword  Cj(fc ),  has  a  value  of  one  if 
node  k  has  to  transmit  in  order  for  a  message  unicasted  by  the  GC  to  reach  node  i,  and  a  zero 
otherwise3.  Thus,  the  length  of  a  path  from  the  GC  to  node  i,  PAj,  can  be  obtained  by  computing 
the  Hamming  Weight  Hw(Ci)  of  the  codeword  Cj  that  represents  PA*  [161]: 

N 

Hw(Ci)  =  Y,Ci{k).  (3.35) 

k= l 

Once  codewords  have  been  constructed  for  each  node,  we  need  a  metric  that  allows  us  to  measure 
the  path  distance,  defined  below,  between  the  paths  of  any  two  nodes: 

Definition  7  (Path  Distance)  Let  PAi  and  PAj  represent  the  sets  of  nodes  in  the  broadcast 
routing  tree  R  that  will  relay  a  unicast  message  from  the  GC  to  nodes  i  and  j  respectively.  We 
define  the  path  distance  between  i  and  j  as  the  sum  of  the  nodes  k  E  {(PAj  UPAj)  —  (PAj  n  PAj)}. 

Construction  of  the  codewords  is  equivalent  to  generating  the  connectivity  matrix  for  the  network. 
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Path  distance  expresses  the  difference  between  two  paths,  in  number  of  nodes.  We  measure 
the  path  distance  between  i  and  j,  by  computing  the  Hamming  Distance  Hd(i,j),  between  their 
corresponding  codewords  [161]: 


N 

Hd(i,j)  =  J2ci(k)®Cj(k). 

k= 1 


(3.36) 


3.10.1  The  VP3  Algorithm 

We  assume  two  sets  of  parameters  as  inputs:  (a)  the  NxN  binary  connectivity  matrix  C,  where 
each  row  Ct  is  a  codeword  that  represents  the  node  path  from  the  GC  to  node  i,  such  that  entry 
Ci(k)  =  1  if  node  k  E  PAi,  and  Ci(k)  =  0  otherwise  and,  (b)  a  vector  E  of  length  A,  where  the  ith 
entry  £),  indicates  the  energy  expenditure  required  to  unicast  a  message  from  the  GC  to  node  i, 
following  the  path  indicated  by  the  connectivity  matrix  C.  To  construct  a  d-ary  key  distribution 
tree,  we  execute  the  following  steps: 

Step  1  :  Calculate  the  Hamming  weight  Hw(Ci)  for  each  row  in  C,  corresponding  to  the  path 
from  the  GC  to  node  i. 

Step  2  :  Choose  the  node  i*  with  the  maximum  Hamming  weight  i*  =  argrna XieMG{Hw(Ci)).  If 
there  is  more  than  one  node  that  satisfies  this  condition  then,  from  this  list,  pick  the  node  i* 
to  be  the  one  with  maximum  El. 

Step  3:  Pick  the  (d  —  1)  nodes  with  the  shortest  Hamming  distances  Hd{i* ,  j),  j  E  MG\i*.  If 
there  are  more  than  (d  —  1)  nodes  with  equal  Hd (i*  ,'j)  always  pick  first,  if  any,  the  node  or 
nodes  found  on  the  path  from  the  GC  to  i*.  For  the  remaining  nodes,  pick  those  with  the 
largest  Ej.  Assign  a  unique  KEK  to  all  members  chosen  in  this  step. 

Step  4:  Repeat  Steps  2,  3  until  all  nodes  belong  in  subgroups  of  at  most  d  nodes  and  are  assigned 
a  unique  KEK. 

Step  5  :  Generate  a  matrix  C'  with  rows  corresponding  to  the  subgroups  generated  in  Step  4 
and  columns  corresponding  to  the  network  nodes.  An  entry  C[{k )  =  1  if  node  k  is  traversed 
by  the  path  from  the  GC  to  any  of  the  members  of  subgroup  St,  and  C[{k )  =  0  otherwise. 
Compute  the  vector  E' ,  the  ith  entry  of  which  indicates  the  energy  expenditure  required  to 
multicast  a  message  from  GC  to  all  members  of  Si,  following  the  paths  indicated  by  the 
connectivity  matrix  C' .  Execute  Steps  1  ~  4  with  inputs  C',E'. 

Step  6:  Repeat  Steps  1  ~  5  until  all  nodes  belong  to  a  single  group. 

3.10.2  Applying  VP3  on  a  Sample  Network 

We  now  present  the  application  of  VP3  on  the  sample  network  of  Figure  3.10(a).  The  numbers 
on  the  links  indicate  the  energy  link  cost.  Nodes  1  —  8  correspond  to  members  M\  —  Mg  of  MG. 
Figure  3.10(c)  shows  the  connectivity  matrix  C  for  MG,  the  Hamming  weights  Hw(Ci )  for  each 
row  Ci,  and  the  energy  expenditure  Ei  necessary  to  send  a  message  from  the  GC  to  member  Mt. 

We  want  to  construct  a  binary  key  tree  (d  =  2)  using  VP3.  Column  Hw  in  Figure  3.10(c)  shows 
the  result  of  executing  Step  1.  Step  2,  identifies  node  i*  =  5  as  the  node  with  the  greatest  Hw ,  and 
withdraws  it  from  the  pool. 

Using  Step  3,  VP3  finds  nodes  {7,2}  to  have  the  shortest  Hd  to  5.  Since  we  need  to  choose 
only  one  node  (d  =  2),  and  7  is  on  the  path  from  GC  to  5,  {IW5,  M7}  are  assigned  a  unique  KEK, 
and  node  7  is  removed  from  the  pool.  Note  that  because  node  7  lies  on  the  path  from  the  GC  to 
node  5,  the  choice  made  by  VP3  maximizes  the  length  of  the  common  path  over  the  set  of  available 
choices,  nodes  2  and  7. 
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Figure  3.10:  (a)  The  broadcast  routing  tree  for  an  ad-hoc  network  of  eight  nodes  plus  the  GC.  Nodes  {1  —  8} 
are  members  of  MG.  The  numbers  on  the  links  indicate  the  units  of  energy  required  to  transmit  a  message  through 
that  link.  The  ovals  indicate  the  grouping  of  the  members  into  the  key  tree  after  the  execution  of  VP3.  (b)  The  key 
distribution  tree  constructed  by  VP3  for  the  network  in  Figure  3.10(a).  (c)  The  Connectivity  Matrix  for  the  network 
in  Figure  3.10(a).  The  first  row  and  first  column  denote  the  node  ID,  column  10  denotes  the  Hamming  weight  of 
each  codeword,  and  the  last  column  denotes  the  energy  required  to  unicast  a  message  to  each  node. 

In  Step  4,  VP3  repeats  Steps  2,  3;  nodes  {2,6,8}  have  the  highest  Hw ,  and  6  is  selected  since 
it  has  the  highest  Et.  Since  node  8  has  the  smallest  H d  to  6,  nodes  6,  8  are  paired  and  {M$,Mq} 
are  assigned  a  unique  KEK.  Similarly,  VP3  groups  {M2,  M3}  and  {M 1 ,  M4}  and  a  unique  KEK  is 
assigned  to  each  group. 

In  Step  5,  VP3  recomputes  the  connectivity  matrix  C'  and  energy  matrix  E'  for  the  pairs 
generated  in  Step  4,  and  repeats  Steps  1  to  4.  Nodes  {2, 3,5,7},  {1,4, 6,8}  are  grouped,  and 
members  {M2,  M3,  M5,  M7},  {Mi,  M4,  Mq,  Mg},  are  assigned  unique  KEKs,  respectively.  At  this 
point  the  SEK  is  assigned  to  all  members  and  the  key  tree  construction  is  completed.  Figure  3.10(b) 
presents  the  key  distribution  tree. 

3.10.3  Balancing  Trees  for  Improved  Energy-Efficiency 

In  [121],  Moyer  et  al.  define  the  concept  of  balanced  trees  and  show  that  maintaining  such  trees 
ensures  that  GC  transmissions  during  rekey  operations  are  kept  at  0{d\ogd  N). 

Definition  8  (Balanced  Tree)  A  tree  is  said  to  be  balanced,  if  leaf  depth  differs  by  at  most  one 
between  any  two  leaves  of  the  tree  [121]. 

We  note  that,  depending  on  the  size  of  MG,  the  application  of  VP3  may  yield  an  unbalanced 
tree  .  Unbalanced  trees  have  been  shown  to  require  more  GC  key  transmissions,  since  their  average 
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(a)  (b) 


Figure  3.11:  (a)  An  unbalanced  ternary  key  tree  of  N  =  10,  wa(T)  =  7.5.  (b)  Balancing  the  tree  reduces  wa(T)  to 
7.2. 


leaf  ancestor  weight  wa(T),  is  larger  compared  to  that  of  balanced  trees  [83,  121,  149].  Hence, 
unbalanced  trees,  on  average,  require  more  energy  for  rekeying,  as  will  be  shown  in  Section  3.11. 

We  now  illustrate  how  the  use  of  balanced  trees  reduces  wa(T )  in  a  tree,  which  leads  to  savings 
in  GC  transmissions.  Figure  3.11(a)  shows  an  unbalanced  ternary  key  tree  for  a  ten  node  network, 
in  which  the  empty  branches  at  levels  0  and  1  are  left  indicated.  The  ancestor  weight  wa{Mi ), 
for  the  leftmost  nine  leaves  is  eight,  wa(Mio)  =  3,  and  Wa{T)  =  7.5.  By  contrast,  Figure  3.11(b) 
shows  a  balanced  tree  with  wa(Mi )  =  7,  i  €  {1, ...,  8},  wa(Mg)  =  wa(M\g)  =  8,  and  Wa{T)  = 
7.2.  Nevertheless,  an  analysis  of  Figures  3.11(a)  and  3.11(b)  reveals  that  the  subgroups  in  both 
representations  are  mostly  unaffected.  For  example,  subgroups  52, i  and  52,2  in  Figure  3.11(a),  have 
the  same  members  as  5i,i  and  5i,2  in  Figure  3.11(b). 

Our  simulation  results  show  that  balancing  trees  has  significant  impact  on  energy  consumption 
as  N  increases.  Hence,  we  have  modified  VP3  to  always  construct  balanced  trees  without  affecting 
the  efficiency  of  the  resulting  partitions  of  MG  into  subgroups  of  the  desired  size.  We  do  this  by 
distributing  members  among  the  branches  of  T,  as  evenly  as  N  will  allow.  If  an  even  distribution  of 
members  among  the  branches  of  T  is  not  feasible,  we  favor  grouping  of  the  remaining  members  into 
the  subgroups  with  shortest  paths.  We  now  describe  the  algorithmic  steps  involved  in  balancing 
the  tree. 

Before  building  the  key  tree  structure,  we  calculate  the  number  of  members  that  should  be 
assigned  to  each  subgroup  at  level  h  of  the  tree.  This  is  done  by  computing  the  number  of  branches 
B,  in  the  balanced  tree  at  level  ( h  —  1),  B  =  dl"logd We  then  assign  g  =  members  to  each 
subgroup  at  level  h.  The  remaining  L  =  N  —  gB  members  are  assigned  one  to  each  of  the  last  L 
subgroups  to  be  formed  by  the  first  iteration  of  VP3.  For  example,  for  the  tree  in  Figure  3.11(b), 
the  number  of  subgroups  at  level  h  is  equal  to  the  number  of  nodes  in  the  balanced  tree  at  level 
( h  —  1),  B  =  3(r*°93iol-i)  _  ancj  gach  subgroup  will  have  at  least  g  =  |_iyj  =  1  node.  We  then 
have  L  =  10  —  (1)(9)  =  1  node  left  (Mio),  which  is  assigned  to  the  last  group  formed  by  the  first 
iteration  of  the  algorithm,  52,9 •  Note  that  the  added  computational  cost  of  balancing  the  trees  is 
that  of  computing  three  quantities:  B,g  and  L. 

In  Figure  3.12,  we  present  the  pseudo-code  for  VP3,  including  the  balanced  tree  modification. 
The  Connectivity  Matrix()  function  computes  the  connectivity  matrix  for  its  argument  set.  The 
Energy  Matrix  ()  function  computes  the  energy  required  to  reach  a  set  of  nodes  sharing  a  common 
key  from  the  GC,  where  each  set  is  an  element  of  the  argument.  Initially,  the  argument  to  both 
functions  is  the  set  of  all  members  of  M G.  With  the  construction  of  every  subsequent  level  l  of  the 
key  tree,  the  argument  will  be  the  set  of  groups  generated  in  the  previous  level.  The  AssignKey( ) 
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C  =  Connectivity  Matrix  (MG),  E  =  Energy  Matrix(MG) 

B  =  d(ri osdAn-i),  g  = 

for  1  =  1:  riogd(A01 

Hw(i)  =  J2f=i-j9uCi(j)y  rows  Ci 
for  k  =  1  :  B 

i*  =  arg maxigMG  Hw(i) 

if  |j*|  >  1  then  i*  =  argmax^gi*  Ei 

MG  =  MG\{i *} 

j'  =  {j€MG  3  argmin jeMG  Hd(i* ,j)} 
if  l  >  1  then  gs  =  d,  else  gs  =  g 
if  l  :~  1  and  k  >  N  —  gB  then  gs  =  gs  +  1 
if  \j'\  >  (gs  —  1)  choose  j'  path  GC  —¥  i* 
and  (gs  —  2)  £  j'  3  arg  maxi6ji  Ei 
MG  =  MG\{f},  G  =  G  U  j1 
AssignKey(j') 
endfor 
MG  =  G 

C  =  Connectivity  Matrix(MG) 

E  =  Energy  Matrix(MG) 

endfor 


Figure  3.12:  Pseudo-code  for  VP3.  The  Connectivity MatrixQ  function  computes  the  connectivity  matrix  for  its 
argument  set.  The  Energy  MatrixQ  function  computes  the  energy  required  to  reach  a  group  of  vertices  from  the 
GC,  where  the  groups  are  elements  of  the  vector  argument.  The  AssignKeyQ  function  assigns  a  common  key  to 
every  element  of  the  argument  set. 

function  assigns  a  KEK  to  every  element  of  the  argument  set. 


3.10.4  Algorithmic  Complexity  of  VP 3 


The  algorithmic  complexity  of  VP3  is  determined  by  the  complexity  of  its  subgrouping  process. 
The  algorithm  first  identifies  the  codeword  Ci*,  with  the  largest  Hamming  weight,  then  computes 
the  Hamming  distances  from  all  other  codewords  to  Ci*,  and  picks  the  (d—  1)  codewords  with  the 
shortest  Hamming  distance  to  Ci*.  This  process  has  to  be  repeated  [A.]  times  at  each  of  ( h  —  1) 
tree  levels,  where  j  =  h  —  i,  and  i  is  the  tree  level  being  built.  The  total  number  of  operations  for 
this  process  is: 


h- 1 


£  £ 


( d  +  2) 


d-  1 


<  d3N2. 


(3.37) 


Since  in  general,  we  are  interested  in  trees  with  small  d,  the  worst  case  algorithmic  complexity  of 
VP3  is  0(A2).4 


3.10.5  An  Analytical  Bound  for  Subgroup  Choices  in  VP3 

In  this  section  we  evaluate  the  deviation  of  a  subgrouping  choice  made  by  YP3  from  the  optimal 
choice,  by  computing  the  worst  case  cumulative  path  divergence  A (S),  defined  below,  for  a  subgroup 

4Our  simulation  results  show  that  d  £  {3,4}  provide  the  best  results  in  both,  average  update  energy  and  MG 
update  messages. 
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Figure  3.13:  The  cumulative  path  divergence  between  nodes  6  and  8  is  A(6,8)  =  1.  Note  that  the  common  path 
between  nodes  6  and  8  goes  from  the  GC  to  node  2  and  A(2,  6)  =  0. 


S,  of  arbitrary  size,  with  subgroup  head  a(S ): 


Definition  9  -( Sub) group  Head,  a(S)-We  define  the  (sub)group  head  a(S),  of  a  (sub)group  S,  as 
the  (sub)group  member  that  satisfies  a(S )  =  argrnaXjGs{T?;}. 

Definition  10  -Cumulative  Path  Divergence-The  cumulative  path  divergence  A  (S')  of  a  subgroup 
S  with  subgroup  head  a(S),  is  defined  as: 

CaiS )  o  (  V  °i 

where  the  symbol  V  denotes  successive  bitwise  OR  operations  over  the  codewords  of  all  members  of 
the  set  S\a(S),  the  symbol  o  denotes  a  single  bitwise  AND  operation,  and  Ci  denotes  the  comple¬ 
ment  operation  on  codeword  Ci. 

A  (S'),  expresses  the  number  of  additional  transmissions  required  by  the  network,  so  that  a 
multicast  message  sent  by  the  GC  reaches  all  members  of  S\a(S),  once  the  subgroup  head  a(S) 
has  already  been  reached. 

As  an  example,  in  Figure  3.13  the  path  distance  between  nodes  {2, 6}  is  77^(2,  6)  =  3,  but  their 
path  divergence  is  A(2,6)  =  0,  since  node  2  is  in  the  path  from  GC  to  node  6,  and  is  reached  for 
free  whenever  a  message  is  sent  to  node  6.  Similarly,  for  S  =  {6,8, 10},  a(S)  =  6,  and  A (S)  can 
be  computed  as: 

C6  =  1101100000,  C6  =  0010011111, 

C8  =  1100001000,  Cio  =  1000000010, 

10 

A(S')  =  £  \C6  o  (C8  V  Cio)]  =  2. 

k= i 

A  (S')  =  2  denotes  the  two  additional  transmissions  7  — 8  and  9  — >•  10  required  to  deliver  a  message 
m  to  nodes  8  and  10,  when  m  is  sent  to  6. 

VP3  aims  to  reduce  the  energy  cost  of  the  key  distribution  tree  by  maximizing  energy  savings 
when  building  a  partition  of  MG  into  subgroups  of  size  d.  The  idea  is  to  maintain  total  subgroup 
cost  Es,  as  close  to  the  unicast  cost  of  the  subgroup  head  as  possible.  Thus,  we  consider  a  subgroup 
S  achieves  optimal  cost  if  Es  =  Ea(S)i  where  a(S)  =  arg  maxjes{£)}. 
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N 


A(S)  =  Y, 


k= 1 


Figure  3.14:  (a)  Worst  case  for  VP3.  For  the  subtree  rooted  at  C,  VP3  will  select  the  following  subgroups: 
{A,  B,  F},  {C,  D,  E}  first,  and  leave  node  G  isolated.  Similar  choices  will  leave  nodes  K  and  J  isolated.  Therefore 
Sr  =  {G,K,J}. 


It  is  important  to  point  out  that  Eg  =  Eatg\  implies  that  Ag  =  0,  i.e. ,  no  additional  transmis¬ 
sions  are  required  to  reach  any  of  the  members  in  S\a(S),  when  a(S )  is  reached.  Hence,  Eg  =  Ea/S\ 
indicates  that  a  message  multicasted  from  the  GC  to  S  will  be  relayed  with  the  minimum  number 
of  MG  update  messages  for  the  given  routing  tree  R.  That  is,  Eg  =  Ea^  implies  optimal  energy 
update  cost  and  optimal  MG  update  messages  when  transmitting  a  message  to  S,  for  fixed  R. 

We  note  that  while  Eg  =  Ea ^  implies  A (S)  =  0,  the  converse  is  not  true,  as  can  be  shown  by 
the  example  of  Figure  3.13.  Let  S  =  {3,  5, 6},  and  assume  that  E^z  >  E^^.  In  that  case,  though 
A (S)  =  0,  we  can  see  that  Eg  =  Eq  —  E^^  +  E 4^.3  >  Eq. 

We  now  calculate  the  worst  case  cumulative  path  divergence  for  a  subgroup  S  of  size  d,  when 
S  is  generated  using  the  decision  process  of  VP3: 


Lemma  4  The  maximum  cumulative  path  divergence  A ^(£),  for  a  subgroup  S  of  size  d>  2  is: 

A^(S)  =  (d  —  1)  max  Hw{i),i  €  R. 


Proof  18  VPS  will  achieve  its  worst-case  bound  when  |5\a(iS)|  =  (d  —  1)  subgroup  members  have 
A(a(S),i)  =  ma x[Hw(j),i  £  S\a(S),j  £  R].  We  present  a  construct  that  achieves  this  worst- 
case  bound  in  Figure  3. If.  Assume  d  =  3  and,  without  loss  of  generality,  assume  Ea  >  Ee  > 
Eq  >  Ep  >  Ep>,  so  that  VPS’s  first  subgroup  choices  within  the  subtree  Rc  rooted  at  node  C  will 
be  S 1  =  {A,  B,F}  and  S2  =  { C,D,E },  as  shown  in  Figure  3.14 ■  Note  that  these  choices  leave 
node  G  isolated  from  those  nodes  of  the  broadcast  routing  tree  R  that  have  not  been  grouped  yet. 
Similarly,  VPS’s  subgrouping  choices  for  subtrees  Rp  and  Rj,  rooted  at  nodes  Fd  and  I  respectively, 
will  leave  one  isolated  node  in  each  subtree,  nodes  J  and  I\.  Since  the  roots  of  d  =  3  subtrees  are 
all  connected  to  GC ,  the  only  subgrouping  choice  there  remains  for  VPS  to  take,  is  £7  =  { G ,  J,  K}, 
the  three  nodes  shown  in  gray  in  Figure  3.14-  Note  that  the  paths  of  the  three  subgroup  members 
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LocKeD,  Homogeneous  Medium  N=64 


LocKeD,  Homogeneous  Medium 


(a) 


(b) 


Figure  3.15:  Experiment  1-  Homogeneous  Medium:  (a)  Application  of  LocKeD  in  a  free  space  area  for  10  different 
network  topologies  of  64  nodes  plus  the  GC,  compared  with  the  energy  expenditure  of  the  minimum,  maximum  and 
mean  performing  tree  out  of  the  10,000  examined  tree  structures,  (b)  Application  of  LocKeD  in  a  free  space  area  for 
different  network  sizes  averaged  over  100  network  topologies. 

have  a  common  node  in  GC,  hence,  the  length  of  their  common  path  is  zero,  and  A (a(SV),i)  = 
Hj(i,GC)  =  €  S-j\a(Sr).  Finally,  since  HW(G)  =  HW(J )  =  HW(K)  =  ma ~x.Hw(i)  for 

i  £  R,  and  |£V\a:(>SV)|  =  (d  —  1),  we  have  that  A(SV)  =  (d  —  1)  max  Hw{i). 


3.11  Performance  Evaluation  in  the  Absence  of  Routing  Informa¬ 
tion 

3.11.1  Simulation  setup 

Simulation  studies  were  performed  on  randomly  generated  network  topologies  confined  in  a  specific 
region.  Since  there  is  no  algorithm  to  provide  the  minimum  energy  solution  for  the  key  distribution 
tree  construction,  we  performed  an  exhaustive  search  for  small  group  sizes  N  =  8,  N  =  16.  For 
larger  group  sizes,  N  =  32, 64, 128,  256,  we  generated  for  each  network  instance,  10,000  different 
random  key  tree  structures.  Out  of  the  10,000  randomly  generated  structures,  we  selected  the  key 
trees  that  resulted  in  the  minimum  and  maximum  Eavc  and  compared  them  with  the  performance 
of  our  algorithms.  We  also  computed  the  mean  performance  of  the  10,000  random  key  trees  and 
compared  that  with  LocKeD  and  PAKeD-KM.  We  repeated  the  same  comparison  for  100  different 
network  topologies  and  averaged  the  results. 


3.11.2  Experiment  1:  Network  deployed  in  a  homogeneous  medium  -  Free  space 
case 

In  our  first  experiment  we  assumed  that  the  network  was  deployed  in  an  open  space  area.  We 
confined  the  network  in  a  10x10  region  and  evaluated  the  performance  of  LocKeD.  In  figure  3.15(a), 
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PAKeD-KM,  Suburban  Area  PAKeD-KM,  Office  Building 


(a)  (b) 

Figure  3.16:  Experiment  2  Heterogeneous  Medium:  Application  of  PAKeD  for  different  network  sizes,  compared 
with  the  energy  expenditure  of  the  minimum,  maximum  and  mean  performing  tree  out  of  the  10,000  randomly 
generated  tree  structures  when,  (a)  the  network  is  deployed  in  a  suburban  area  (b)  the  network  is  deployed  in  an 
office  building. 

we  compare  the  LocKeD  with  the  minimum  and  maximum  performing  tree  as  well  as  the  average, 
out  of  the  10,000  randomly  generated  tree  structures.  We  can  observe  the  key  tree  with  the 
best  performance  spends  1.3%-16.7%  less  energy  than  LocKeD.  However,  if  location  is  neglected, 
LocKeD  spends  24.4%-54.2%  less,  compared  to  the  key  tree  with  the  maximum  average  key  update 
energy  and  14.2%-36.4%  less,  compared  to  the  mean  of  all  generated  trees,  for  the  10  networks  in 
figure  3.15(a). 

In  figure  3.15(b),  we  show  the  results  of  LocKeD  as  a  function  of  the  multicast  group  size 
N,  averaged  over  100  network  topologies  for  each  N .  The  LocKeD  spends  on  average  9%  more 
energy  for  re- keying,  compared  to  the  key  tree  with  the  minimum  E^ve-  LocKeD  spends  on  average 
57%  less  energy  for  re-keying,  compared  to  the  key  tree  with  the  maximum  E&vei  and  32%  less, 
compared  to  the  mean  of  all  randomly  generated  trees. 


3.11.3  Experiment  2:  Network  deployed  in  a  heterogeneous  Medium  -  Subur¬ 
ban  area 

In  our  second  experiment,  we  evaluated  the  performance  of  the  PAKeD  for  a  slowly  varying  het¬ 
erogeneous  medium.  We  considered  a  suburban  area  where  the  attenuation  factor  7  is  not  constant 
throughout  the  network  deployment  region.  However,  we  assumed  that  it  changes  slowly  across 
space.  In  figure  3.16(a),  we  compare  the  PAKeD-KM  with  the  minimum,  maximum,  and  average 
performing  tree  out  of  the  10,000  randomly  generated  trees,  as  a  function  of  the  multicast  group 
size  N,  for  networks  deployed  in  a  suburban  area.  We  observe  that  the  PAKeD-KM  spends  on 
average  19%  more  energy  for  rekeying,  compared  to  the  key  tree  with  the  minimum  average  key 
update  energy.  The  PAKeD-KM  spends  on  average  70%  less  energy  for  rekeying,  compared  to 
the  key  tree  with  the  maximum  average  update,  and  59%,  compared  to  the  mean  of  all  randomly 
generated  trees. 

We  note  that  the  key  tree  with  the  maximum  E^ve  spends  almost  three  times  as  much  energy 
as  the  tree  constructed  with  PAKeD-KM.  This  is  due  to  the  fact  that  sending  messages  in  a  het- 
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Comparison  of  all  Algorithms  for  a  Suburban  Area 


Comparison  of  all  Algorithms  for  an  Office  Building 


(a) 


(b) 


Figure  3.17:  Comparison  of  PAKeD-KM  with  LocKcD  for  a  network  deployed  in  a,  (c)  suburban  area,  (d)  office 
building. 

erogeneous  environment  requires  more  energy  than  in  a  homogeneous  one,  and  using  an  inefficient 
key  distribution  scheme  can  lead  to  great  waste  of  energy  resources. 

In  figure  3.17(a),  we  compare  the  PAKeD-KM  with  LocKeD,  for  networks  of  different  group 
sizes  deployed  in  a  suburban  area.  We  observe  that  LocKeD  performs  20%  worse  than  the  PAKeD- 
KM.  By  comparing  figures  3.16(a)  and  3.17(a),  we  note  that  the  performance  of  the  LocKeD  is  still 
significantly  better  than  the  average  and  worst  case  random  key  trees. 


3.11.4  Experiment  3:  Network  deployed  in  a  heterogeneous  medium  -  indoor 
environment 

In  our  third  simulation  experiment,  we  evaluated  the  performance  of  the  PAKeD  algorithm  for 
a  rapidly  changing  heterogeneous  medium.  In  figure  3.16(b),  we  compare  the  PAKeD-KM  with 
the  minimum  and  maximum  performing  tree  as  well  as  the  average  out  of  the  10,000  randomly 
generated  trees,  for  different  multicast  group  sizes  in  an  indoor  environment.  We  observe  that 
the  PAKeD-KM  spends  on  average  17%  more  energy  for  rekeying,  compared  to  the  key  tree  with 
the  minimum  average  key  update  energy.  The  PAKeD-KM  spends  on  average  72%  less  energy 
for  rekeying,  compared  to  the  key  tree  with  the  maximum  average  update,  and  56%  less  when 
compared  to  the  mean  of  all  randomly  generated  trees. 

In  figure  3.17(b),  we  compare  PAKeD-KM  with  LocKeD  for  different  group  sizes  deployed  in 
an  office  building.  As  expected,  LocKeD  performs  poorly  in  the  indoor  environment  by  spending 
96%  more  energy  for  rekeying  than  PAKeD-KM.  In  the  indoor  environment  physical  proximity  is 
not  increasing  monotonically  with  “power  proximity”  and  clustering  based  on  location  fails  to  give 
an  energy-efficient  key  distribution  tree. 
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Figure  3.18:  (a)  Performance  of  RAwKey  for  different  N.  (b)  Comparison  RAwKey  with  LocKeD  for  different  N. 
(c)  Comparison  of  the  RAwKey  under  different  routing  algorithms. 


3.12  Performance  Evaluation  in  the  Presence  of  Routing  Informa¬ 
tion 

Evaluation  of  RAwKey  algorithm 

In  this  section  we  evaluate  the  performance  of  our  routing  aware  key  distribution  algorithm.  In 
Figure  3.18(a),  we  observe  that  RAwKey  yields  significant  savings  compared  to  a  tree  structure  that 
does  not  take  into  account  the  routing  information.  It  has  slightly  worse  performance  compared 
to  the  best  tree  out  of  the  10,000  trees  and  gives  significant  savings  compared  to  the  median  and 
worse  possible  tree.  In  Figure  3.18(b),  we  compare  the  performance  of  RAwKey  with  the  location- 

j^jRAwK  ey _ j^LocKeD 

aware  key  distribution  scheme  (LocKeD).  We  show  the  percentage  difference  (  AVE  rAwk£^e — %) 

eave 

between  RAwKey  and  LocKeD  for  different  number  of  nodes.  RAwKey  outperforms  LocKeD  by 
5. 4-8. 2%,  since  LocKeD  may  fail  to  capture  the  circularity  of  the  broadcast  advantage. 

3.12.1  Performance  of  RAwKey  under  different  routing  algorithms 

In  our  fifth  experiment  we  compared  the  performance  of  RAwKey  under  different  routing  algorithms 
and  for  different  multicast  group  sizes.  We  generated  random  topologies  and  constructed  the 
multicast  routing  tree  using  BIP  [164],  EWMA  [58],  MST  [49]  and  SPR  [49].  We  applied  RAwKey 
under  the  different  routing  algorithms  and  measured  Eave-  In  Figure  3.20  we  observe  that  SPR 
gives  the  minimum  re-key  energy  expenditure,  BIP  and  MST  have  similar  performance,  while 
EWMA  needs  increasing  energy  for  re- keying  as  the  multicast  group  size  grows. 

If  we  study  the  routing  trees  resulting  from  the  application  of  the  four  algorithms  (Figure  3.19) 
we  observe  that  SPR,  BIP  and  MST  tend  to  be  multi-hop  in  contrast  to  EWMA  that  covers 
many  nodes  with  one  transmission.  Although  a  single  transmission  is  beneficial  for  broadcasting 
a  message  to  all  members  of  the  multicast  group  and  reducing  the  total  transmit  power,  it  proves 
inefficient  when  messages  need  to  be  transmitted  to  small  sub-groups  or  even  unicasted.  Re-keying 
after  a  member  deletion  involves  many  transmissions  to  smaller  groups  than  MG.  SPR  is  optimized 
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Figure  3.19:  Multicast  routing  tree  constructed  with  (a)  BIP,  (b)  MST,  (c)  SPR,  (d)  EWMA. 

for  unicast  transmissions  and  therefore  delivers  keys  to  single  members  with  minimal  energy  cost. 
On  the  other  hand,  EWMA  requires  the  most  energy  for  unicasting,  since  it  favors  long  range 
transmission  to  cover  many  nodes. 

3.12.2  Evaluation  of  VP3  algorithm 

To  evaluate  the  performance  of  VP3,  we  generated  random  network  topologies  confined  to  a  region 
of  size  100x100.  Following  the  network  generation,  we  used  the  Broadcast  Incremental  Power  (BIP) 
algorithm  [164]  to  construct  and  acquire  the  routing  paths  from  the  GC  to  every  group  member5. 
The  routing  tree  was  also  used  to  calculate  the  energy  required  to  reach  any  group  of  members. 


3.12.3  Comparison  between  VP3  and  RAwKey 

In  our  first  experiment,  we  compared  VP3  with  RAwKey.  We  also  compared  VP3  with  a  random 
key  assignment  algorithm  as  in  wired  networks  [162,165].  Since  for  a  fixed  key  tree  degree  d,  the  key 
assignment  structures  built  by  VP3,  RAwKey,  and  the  random  key  tree  algorithm  have  the  same 
member  storage  and  GC  transmissions  requirements,  we  compared  the  three  methods  in  terms  of 
average  MG  update  messages  rriAvei  and  average  update  energy  Eavc 

Figure  3.23(a)  shows  the  niAve  (top  graph),  and  EaV£  (bottom  graph),  for  trees  of  degree  d  =  4 
and  for  different  multicast  group  sizes  N.  All  trees  were  left  unbalanced.  Due  to  space  limitations, 

5 Any  other  suitable  routing  algorithm  can  be  applied  as  well  [58, 164], 


116 


Performance  of  RAwKey  under  different  routing  techniques 


Figure  3.20:  Comparison  of  the  RAwKey  under  different  routing  algorithms. 


we  have  omitted  the  results  for  binary  and  ternary  trees.  In  the  top  graph  of  Figure  7(a),  we 
observe  that  sudden  increases  in  rriAve  occur  when  IV  =  dl  +  1,  i  G  Z +  .  The  increases  in  rriAve  are  a 
consequence  of  leaving  the  key  tree  unbalanced,  since  in  that  case  the  average  leaf  ancestor  weight 
wa(Mt)  significantly  increases  for  those  nodes  with  large  Hamming  weight  Hw  during  the  transition 
from  N  =  d1  to  N  =  dl  + 1.  As,  noted,  an  increase  in  wa(Mi )  for  those  nodes  with  large  Hw  implies 
an  increase  in  the  number  of  GC  transmissions  directed  to  nodes  with  longer  paths,  which  in  turn 
leads  to  an  increased  number  of  relaying  messages. 

The  bottom  graph  of  Figure  3.23(a)  shows  the  E^ve  for  different  multicast  group  sizes  N.  We 
observe  that  the  sudden  increases  in  rriAve  from  the  top  graph  of  Figure  3.23(a),  translate  into 
sudden  increases  in  EAve,  also  due  to  the  use  of  unbalanced  trees.  As  N  continues  to  increase, 
however,  wa(T )  decreases,  and  EAve  is  reduced.  This  happens  because  the  size  of  the  deployment 
area  is  fixed.  Thus,  as  N  increases  and  the  nodes  become  more  densely  packed,  the  number  of 
relaying  messages  required  to  rekey  MG  increases,  but  the  average  energy  cost  per  relayed  message 
decreases. 

Figure  3.23(b)  shows  the  performance  improvement  achieved  by  VP3,  over  RAwKey,  on  both 
rriAve  and  EAve,  for  key  trees  of  degree  d  G  {2,3,4}.  While  average  improvement  on  both  metrics 
is  20%,  the  average  for  networks  of  size  N  >  150  increases  to  28%.  The  difference  in  performance 
between  VP3  and  RAwKey  occurs  due  to  the  near  optimal  decision  process  of  VP3  when  compared 
to  RAwKey,  which  ignores  path  direction  [109,110]. 

Figure  3.22(a)  compares  both,  rriAve  and  EAve  for  key  trees  of  degree  d  G  {2,3,4},  generated 
using  VP3.  We  note  that  binary  trees  are  clearly  outperformed  by  ternary  and  quaternary  trees, 
which  in  turn  perform  quite  similarly  for  the  selected  sizes  of  MG.  This  happens  because  the 
number  of  GC  transmissions  increase  much  more  rapidly  for  binary  trees,  due  to  the  increase  in 
tree  height.  Nevertheless,  the  trend  is  inverted  for  d  >  4,  because  the  increase  in  subgroup  size 
d  implies  an  increase  in  the  number  of  unicast  transmissions  required  for  rekeying.  This  increase 
outweighs  reductions  due  to  shorter  tree  height.  Our  simulations  show  that  the  best  results  are 
obtained  when  we  use  key  trees  of  degree  d  G  {3, 4}. 
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Figure  3.21:  A (S')  that  was  observed  in  29,300  randomly  generated  networks.  Networks  of  size  N  G  [8,300] 
where  generated  at  random,  100  networks  for  each  size.  The  histograms  show  the  percentage  of  subgroups  of  size 
d  E  {3, 4,  5,  6}  that  showed  A  (S')  >  0,  over  the  total  number  of  subgroups  that  were  formed  by  VP3,  for  all  networks. 


3.12.4  Effect  of  the  Use  of  Balanced  Tree  Topologies  with  VP3 

In  our  second  experiment,  we  evaluated  the  effect  of  balancing  the  key  tree  structures,  as  described 
in  Section  3.10. 

The  top  graph  in  Figure  3.22(b)  shows  the  effect  of  balanced  tree  topologies  on  rriAve-  We 
observe  that  rriAve  grows  almost  linearly  with  N.  This  is  to  be  expected,  since  the  MG  update 
messages  required  to  complete  rekey  operations  are  not  bounded  by  the  size  of  the  area  in  which 
networks  were  generated. 

The  bottom  graph  in  Figure  3.22(b)  shows  the  improved  EAve  achieved  by  YP3  when  balancing 
the  tree  structure.  EAve  is  almost  constant  for  networks  of  size  N  >  50,  both  for  ternary  and 
quaternary  trees.  The  size  of  the  deployment  area  is  fixed,  thus,  as  N  increases  and  the  nodes 
become  more  densely  packed,  the  number  of  MG  update  messages  increases,  but  the  average 
energy  cost  per  message  decreases.  Since  VP3  provides  near  optimal  grouping  of  members,  the 
increase  in  relay  messages  does  not  increase  EAve- 

3.12.5  Path  Divergence  of  VP3 

For  our  third  experiment,  we  generated  100  networks  for  each  network  size  N  £  [8, 300]  (a  total  of 
29,300  networks),  in  an  area  of  100x100.  We  then  employed  VP3  to  partition  each  network  into 
groups  of  size  d  £  {3, 4,  5, 6}  (steps  1  —  4  of  VP3)  and  evaluated  A  (S))  for  each  of  the  resulting 
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Figure  3.22:  (a)  Comparison  in  performance  of  VP3  for  trees  of  degree  d  £  {2,3,4}.  The  graph  on  the  top  shows 
rriAve,  and  the  graph  on  the  bottom  shows  Eavr-  (b)  Average  MG  update  messages  and  average  update  energy  for 
different  multicast  group  sizes,  for  balanced  and  unbalanced  trees. 

subgroups,  using  (3.38)6. 

The  histograms  in  Figure  3.21  present  the  percentage  of  subgroups  that  showed  a  A  (Si)  >  0, 
for  subgroups  of  different  size.  As  an  example,  in  Figure  3.21(a)  only  0.03%  subgroups  of  size  d  =  3 
out  of  the  subgroups  formed  from  the  29,300  networks  tried,  had  A (S)  >  0. 

Note  that  while  the  worst-case  bound  indicates  that  A3  (S)  =  max  Hw(i),  the  conditions  required 
to  achieve  this  divergence  occur  in  the  specific  network  topology  shown  in  the  Figure  3.14  in 
Appendix  II,  and  all  its  isomorphics.  In  fact,  none  of  the  subgroups  obtained  in  our  simulations 
exceeded  A (S)  =  1,  for  d  =  3,  and  we  did  not  find  a  case  in  which  A (S)  >  7,  for  d  €  {3, 4,  5,6}. 
Our  simulations  suggest  that  the  worst-case  bound  in  (3.38)  may  be  overly  pessimistic  for  most 
networks,  and  that  the  vast  majority  of  groups  generated  by  the  decision  process  of  VP3  have  zero 
path  divergence. 


3.13  Summary  of  Contributions 

We  studied  the  problem  of  energy-efficient  key  management  for  group  communications  in  wireless 
ad  hoc  networks.  We  considered  the  key  management  problem  under  four  metrics,  namely  member 
key  storage,  GC  transmissions,  MG  update  messages  and  average  update  energy.  For  each  metric 
we  formulated  an  optimization  problem  and  showed  that  the  problem  has  unique  solutions  in  terms 
of  member  key  storage  and  GC  transmissions,  while  it  is  NP-complete  in  terms  of  MG  messages 
and  average  update  energy.  Since  no  unique  solution  concurrently  optimizes  all  four  metrics,  we 
considered  the  problem  of  minimizing  the  MG  update  messages  and  average  update  energy,  while 
keeping  the  member  key  storage  and  the  GC  transmissions  bounded. 

We  noted  that  while  the  balanced  key  trees  are  efficient  solutions  in  terms  of  key  storage  and 
MG  update  messages,  the  key  trees  did  not  consider  energy  and  network  bandwidth  as  a  design 
parameter.  In  order  to  incorporate  the  energy /bandwidth-efficiency  into  the  key  trees,  we  intro¬ 
duced  a  new  performance  evaluation  metric  called  average  energy  update  cost.  We  characterized 
this  metric  in  terms  of  the  network  topology,  the  properties  of  the  propagation  medium  and  the 

6For  d  =  2  it  can  be  proved  analytically  that  VP3  partitions  each  network  into  subgroups  with  A (S)  =  0. 
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VP3  vs.  RAwKey  for  d=  4 
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Figure  3.23:  A  comparison  between  the  VP3,  RAwKey  and  the  random  key  tree  algorithm,  (a)  The  graph  on  top 
shows  the  average  number  of  MG  update  messages,  and  the  graph  below  shows  average  update  energy.  Each  data 
point  is  the  average  result  over  100  randomly  generated  networks,  (b)  %  of  improvement  in  both  mAve  and  EAve 
obtained  by  VP3  over  RAwKey  for  different  sizes  of  MG. 

degree  of  the  key  tree.  We  then  noted  that  depending  on  whether  the  propagation  medium  is 
homogeneous  or  heterogeneous,  we  could  formulate  problems  with  different  cost  functions  and 
computational  complexities  for  the  cross-layer  design  problem.  We  also  presented  the  complexities 
of  our  algorithms  and  showed  the  pitfalls  of  trying  to  find  a  globally  optimal  solution.  We  also 
proposed  RAwKey,  a  routing-aware  key  distribution  algorithm  that  takes  into  account  the  routing 
paths  used  to  distribute  keys  to  valid  members  of  the  multicast  group.  Finally,  we  presented  VP3, 
a  heuristic  cross-layer  key  distribution  algorithm  that  takes  into  account  network  flows  in  order  to 
provide  a  resource  efficient  key  distribution  scheme.  We  presented  simulation  results  and  applied 
our  algorithms  to  different  environments  and  showed  significant  energy  savings  using  our  algorithms 
that  demonstrate  the  advantage  of  a  cross-layer  design  approach. 


3.14  Appendix 

3.14.1  On  the  Optimality  of  the  Refinement  Algorithm 

The  refinement  algorithm 7  balances  the  clusters  sizes  obtained  from  the  application  of  the  clustering 
algorithm.  When  we  balance  two  clusters,  we  move  an  object  from  cluster  A  to  cluster  B  so  that  we 
minimally  increase  the  total  inter-cluster  dissimilarity.  For  the  binary  case,  this  greedy  approach 
leads  to  an  optimal  solution  for  the  constrained  optimization  problem  in  (3.21).  However,  if  the 
number  of  clusters  is  greater  than  two,  the  refinement  algorithm  in  (3.22)  need  not  lead  to  balanced 
clusters  of  minimum  total  dissimilarity.  We  illustrate  these  points  with  the  example  given  below. 

Consider  the  clusters  A,  B,  C  shown  in  figure  3.24,  with  |A|  =  n  +  k,  \B\  =  n  —  k\,  |Cj  =  n  —  &2 
and  k  =  k\  +  k2-  We  specialize  to  the  case  where  k  =  2,  k\  =  1  and  &2  =  1.  According  to  the 
refinement  algorithm,  we  must  move  two  objects  from  A  to  B,  C  (one  to  B ,  one  to  C ).  We  initially 

'The  pseudo-code  of  the  algorithm  is  presented  in  figure  3.6(b). 
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Figure  3.24:  Sub-optimality  of  the  refinement  algorithm.  Three  un-balanced  clusters  A,B,C  with  |j4|  =  n  +  k, 
|B|  =  n  —  ki,  |Cj  =  n  —  k2  and  fc  =  +  fe,  (a)  moving  r  to  B  and  q  to  C,  results  in  a  sub-optimal  solution,  (b) 

moving  l,  r  to  B  and  g  to  C,  results  in  a  better  solution  than  moving  l  to  B  and  r  to  C. 


find  the  object  i*  €  A  such  that: 

i*  =  arg  mm[dlmx  -  X  =  {B,C}.  (3.39) 

For  figure  3.24(a)  there  are  two  optimal  objects,  i*  =  {l,  r}  that  can  be  moved  from  set  A  since 
ditmA  =  and  dz,ms  =  dr,ms  ■  Assume  that  object  r  is  moved  from  A  to  B.  Note  that  object  r 

minimally  increases  the  cluster  dissimilarity,  out  of  all  objects  of  A  that  could  be  possibly  moved 
to  cluster  C .  Hence,  if  any  other  object  (q  for  example)  is  moved  from  A  to  C  to  balance  C ,  the 
total  cluster  dissimilarity  will  be  higher  compared  to  the  case  where  l  is  moved  to  B  and  r  is  moved 
to  C. 

Finding  the  two  objects  from  cluster  A  to  be  moved  to  clusters  B  and  C  respectively  so  that 
the  total  dissimilarity  is  minimized  requires  exhaustive  search  through  all  possible  combinations 
of  object  movements.  In  our  example,  two  points  out  of  the  (n  +  2)  points  in  set  A  need  to  be 
moved.  There  are  (n  +  2)(n  +  1)  possible  combinations  to  be  inspected.  In  the  general  case  where 
k!,k2,...,ks  objects  need  to  be  moved  from  cluster  A  that  has  n  +  k  initial  points,  to  clusters 
B\,  Bo,  ■  ■  ■ ,  Bs  which  contain  n  —  k\,n  —  k2,  ■  ■  ■  n  —  ks  points  respectively,  where  k  =  Ylt=i  the 
number  of  possible  combination  is: 


fn  +  k\  fn  +  k  —  k\\  fn  +  ks\ 

V  *1  A  k2  )"'\  ks  )' 


(3.40) 


A  careful  consideration  shows  that  when  the  number  of  clusters  involved  is  more  than  two, 
identification  and  moving  of  a  set  of  objects  to  different  clusters  need  to  consider  all  clusters 
simultaneously,  not  just  the  cluster  with  extra  objects.  In  other  words,  simply  moving  the  extra 
objects  with  the  highest  dissimilarity  from  the  bigger  clusters  to  the  smaller  ones  need  not  lead  to 
optimality.  We  illustrate  it  now. 

Consider  the  figure  3.24(b).  Set  k  =  2,  k\  =  1,  and  k2  =  1.  Hence,  to  construct  balanced 
clusters,  two  objects  need  to  be  removed  from  the  cluster  A  and  the  size  of  the  clusters  B  and  C 
should  increase  by  one.  We  need  to  move  objects  with  minimal  increase  in  dissimilarity.  Assume 
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that  moving  node  r  or  l  from  A  to  B  increases  minimally  the  total  cluster  dissimilarity.  Also  assume 
that  the  node  g  in  cluster  B  has  the  lowest  dissimilarity  with  respect  to  cluster  C.  Then,  moving 
both  objects  l,r  to  cluster  B  and  then  moving  object  g  from  cluster  B  to  cluster  C  will  result  in 
lower  total  cluster  dissimilarity  than  simply  moving  l  to  B  and  r  to  C. 

From  this  example,  we  note  that  examining  and  maintaining  a  list  of  points  and  their  dissim¬ 
ilarities  for  the  every  cluster  and  every  point  is  important.  Hence,  when  there  are  more  than  two 
clusters,  the  complexity  of  finding  the  globally  optimal  solution  for  the  optimization  problem  in 
(3.21)  requires  inspection  in  each  cluster  and  is  even  higher  than  the  one  expressed  in  (3.40).  There¬ 
fore,  due  to  the  complexity  of  finding  the  optimal  solution,  it  is  preferable  to  adopt  the  sub-optimal 
solution  for  balancing  the  clusters,  provided  by  the  refinement  algorithm. 

3.14.2  Algorithmic  details  of  PaKeD-KM  and  PaKeD-DH 

Power  Aware  Key  Distribution  based  on  K-Medoids  (PAKeD-KM) 

In  figure  3.25(a),  we  present  the  pseudo  code  for  the  Power-Aware  Key  Distribution  -  K-Medoids 
(PAKeD-KM)  algorithm,  that  utilizes  a  “power  proximity”  clustering  algorithm  based  on  K- 
medoids  [157],  [95].  We  now  describe  the  notational  and  algorithmic  details  of  PAKeD-KM  given 
in  figure  3.25(a). 

Initially,  all  members  (objects)  belong  to  the  global  cluster  V.  The  AssignKey(V )  function 
assigns  the  SEK  to  all  members  of  the  group.  The  Power( C,j)  function  computes  the  dissimilarities 
between  members  according  to  the  path  loss  information,  and  stores  them  in  matrix  diss. 

Choice  between  CLARA  and  PAM  in  PAKeD-KM:  Depending  on  the  network  size, 
we  employ  either  PAM  or  CLARA  as  a  method  for  dividing  the  global  cluster  into  sub  clusters. 
CLARA  algorithm  is  chosen  over  PAM  if  the  network  size  N  is  bigger  than  a  threshold  Max  Size. 
Studies  in  [95]  showed  that  PAM  becomes  inefficient  for  data  sets  bigger  than  100  objects.  The 
choice  is  stored  in  variable  Clust  with  the  default  being  PAM.  If  Max  Size  >  100,  Clust  is  set  to 
CLARA. 

The  Divide(C(i),  a, Clust)  function  partitions  C(i )  to  a  clusters  according  to  Clust  method, 
and  returns  the  created  clusters  to  variable  R.  The  Refine (R,thres)  function  balances  the  cluster 
sizes  and  the  AssignKey(R)  assigns  keys  to  the  clusters  in  R.  After  |"loga(A)]  steps  the  algorithm 
terminates. 


Power  Aware  Key  Distribution  based  on  Divisible  Hierarchy  (PAKeD-DH) 

In  figure  3.25(b),  we  present  the  pseudo  code  for  the  Power- Aware  Key  Distribution  -  Divisible  Hier¬ 
archical  clustering  (PAKeD-DH)  algorithm,  that  utilizes  a  “power  proximity”  clustering  algorithm, 
based  on  divisible  hierarchical  clustering  [157],  [95]. 

For  the  PAKeD-DH  algorithm,  the  basic  steps  are  as  described  in  Section  3.8.2.  Initially,  the 
SEK  is  assigned  to  all  members  of  the  multicast  group  with  AssignKey(V )  and  the  dissimilarity 
matrix  diss  is  computed  as  in  PAKeD-KM  algorithm.  The  cluster  with  the  highest  diameter  is  split 
into  sub  clusters  A,  B.  In  order  to  create  the  cluster  B,  the  average  dissimilarities  a(i)  and  w(i,  B ) 
are  stored  in  Diss-A,  DissJ3 ,  respectively.  Cluster  splitting  is  repeated  until  a  clusters  have  been 
created.  Then,  the  a  clusters  are  balanced  with  the  refinement  algorithm  Refinef),  according  to 
the  threshold  thres,  and  a  key  is  assigned  to  each  cluster.  This  process  is  repeated  for  every  level 
of  the  tree  hierarchy.  The  algorithm  terminates  after  |"logQ(A)]  steps. 
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Computational  Complexity  of  PAKeD-DH:  The  complexity  of  divisible  hierarchical  clus¬ 
tering  is  0(N 3)  [95].  Divisible  hierarchical  clustering  outputs  a  cluster  hierarchy  and  need  not  be 
iteratively  applied  as  in  the  case  of  K-means  or  K-medoids  clustering.  Hence,  the  complexity  of 
PAKeD-DH  is  0{N3). 

Power-Aware  Key  Distribution  (PAKeD) 

K-medoids  Clustering  (PAKeD-KM)  DH  Clustering  (PAKeD-DH) 


C={P} 

AssignKeyiC) 
diss  =  PowerPC,  7) 

if  \C\  >  MaxSize 
Clust=  CLARA 
end  if 

index=l 

while  index  <  [loga(7V)] 
C-temp  ={0}, 
thres  =  [  ^3i3rl 

for  i  =  1  :  \C\ 

R=Divide(C (i) ,  a,  Clust) 
R=Refine(R,  thres ) 
AssignKey{  R), 

C-temp  =  C-temp  IJ  R 
index++ 
end  for 

C  =  C-temp 
end  while 


C  =  {V},  index  =  1 
AssignKey(  C) 
diss  =  Power(C,  7) 
while  index  <  [logo,  (A)] 
thres  =  \  a™dex] 
for  j=l:\C\ 

C-temp  =  0 
while  \C -temp\  —  a 

A  :=  maxJeC-temp  diam(J),  B  —  0 
Diss-A  =  Ave-Diss(A,  diss) 
i*  =  argmaxjGj4  Diss-A 
A  =  A~{i*},  B  =  {i*} 

If  |T|  =  1  stop 
else  repeat 

Diss-A  =  Ave-Diss(A ,  diss ) 

Diss-B  =  Ave-Diss(B,  diss) 
max-diss  =  ma  XiGA{Diss-A  —  Diss-B) 
m  =  argmax.i6A(Diss_H  —  Diss-B) 
if  max-diss  >  0 

B  =  B{J{m},  A  =  A—{m} 

else 

end  repeat 

C-temp  =  C-temp  U{  A  B} 
end  while 
end  for 

C  =Refine{C  -temp, thres) 
index=index+  + 
end  while 


(a)  (b) 

Figure  3.25:  Pseudo  code  for  the  Power- Aware  Key  Distribution  algorithm  (PAKeD),  (a)  when  clustering  is  per¬ 
formed  using  K-medoids  (PAKeD-KM),  and  (b)  when  we  directly  generate  a  hierarchical  key  tree  using  divisible 
hierarchical  clustering  (PAKeD-DH). 
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Chapter  4 


A  Canonical  Seed  Assignment  Model 
for  Key  Predistribution  in  Wireless 
Sensor  Networks 


4.1  Introduction 

Advances  in  sensor  technology  suggest  that  large-scale  wireless  sensor  networks  (WSNs)  can  pro¬ 
vide  sensing  and  distributed  processing  using  low-cost,  resource-constrained  sensor  nodes  [2]  for 
commercial,  industrial,  and  military  applications  such  as  disaster  relief  and  recovery,  medical  pa¬ 
tient  monitoring,  smart  homes,  mechanical  system  monitoring,  and  target  detection  and  tracking. 
As  data  integrity,  authentication,  privacy,  and  confidentiality  are  often  important  concerns  in  such 
applications,  secure  communication  protocols  are  required.  However,  the  ad-hoc  nature  of  WSNs 
require  minimal  interaction  with  base  stations  or  a  central  authority,  so  trust  establishment  for 
secure  communication  is  a  critical  task  [3,4],  Furthermore,  random  sensor  deployment  and  the 
physical  communication  constraints  of  sensor  nodes  make  trust  establishment  a  very  challenging 
problem  in  WSNs. 

The  resource  constraints  of  sensor  nodes  are  the  limiting  factor  in  the  type  of  cryptographic 
primitives  that  can  be  implemented.  There  have  been  recent  efforts  to  implement  public-key  cryp¬ 
tography  in  wireless  sensor  networks  [5-9].  However,  such  protocols  can  not  yet  be  implemented 
on  all  sensor  nodes.  Hence,  many  of  the  current  solutions  to  key  establishment  rely  on  the  use  of 
symmetric  key  cryptography. 

A  promising  solution  for  the  establishment  of  secure  communication  in  WSNs  using  symmetric 
keys  is  the  use  of  key  predistribution  [4,  10, 11].  A  key  predistribution  scheme  can  be  described 
in  two  primary  phases:  key  assignment  and  link-key  establishment.  In  the  key  assignment  phase, 
executed  prior  to  network  deployment,  sensor  nodes  are  seeded  with  cryptographic  keys  (e.g.  hashed 
master  keys  [12],  cryptographic  keys  [4],  or  polynomial  shares  [13]).  In  the  link-key  establishment 
phase,  executed  after  network  deployment,  neighboring  nodes  compute  link-keys  as  a  function  of 
assigned  keys  in  order  to  establish  secure  one-hop  links.  While  many  existing  works  in  the  literature 
provide  novel  approaches  for  the  link-key  establishment  phase  of  key  predistribution,  the  scope  of 
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key  assignment  techniques  is  limited. 


4.2  Our  Contributions 

In  this  chapter,  we  present  a  canonical  model  for  the  key  assignment  phase  of  key  predistribution  in 
WSNs.  In  the  canonical  key  assignment  model,  key  assignment  schemes  are  characterized  in  terms 
of  a  discrete  probability  distribution  of  the  number  of  nodes  sharing  each  assigned  key  and  the 
algorithm  used  to  perform  the  key  assignment.  The  canonical  model  allows  the  network  designer  to 
explicitly  control  the  probability  distribution  and  limit  the  effects  of  tail  behavior  in  the  probability 
distribution.  We  present  a  sampling  framework  for  randomized  key  assignment  algorithms  for  use 
in  the  canonical  model.  In  the  framework,  key  assignment  algorithms  are  classified  according  to  the 
selection  method  used  to  realize  a  given  probability  distribution,  and  a  representative  algorithm 
from  each  class  is  illustrated.  We  demonstrate  how  the  worst-case  analysis  of  any  key  predistribution 
scheme  can  be  performed  using  the  canonical  model,  analysis  which  has  not  been  possible  using 
techniques  in  existing  literature.  We  also  show  that  the  average  case  analysis  can  be  performed  as 
in  existing  works. 

In  addition  to  the  key  assignment  model  itself,  we  develop  a  model  for  probabilistic  network  k- 
connectivity  for  randomly  deployed  secure  WSNs  in  which  communication  is  restricted  by  both  radio 
range  and  the  existence  of  shared  keys.  This  connectivity  model,  based  on  spatial  statistics  [14] 
and  the  asymptotic  properties  of  geometric  random  graphs  [15, 16],  can  be  used  along  with  the 
canonical  model  for  the  purposes  of  network  design.  We  further  illustrate  the  effect  of  network 
extension  via  node  addition  using  the  canonical  model. 


4.3  Motivation  and  Problem  Statement 

Various  properties  of  a  key  predistribution  scheme  can  be  analyzed  in  terms  of  the  number  of  nodes 
sharing  each  assigned  key.  Hence,  The  behavior  of  a  key  predistribution  scheme  is  analyzed  with 
respect  to  the  probability  that  a  given  key  is  shared  by  exactly  A  of  the  N  nodes  in  the  WSN. 


4.3.1  Motivation 

The  impact  of  the  number  of  nodes  A  sharing  a  given  key  is  investigated  for  the  following  metrics: 
the  probability  that  a  pair  of  nodes  share  at  least  one  key,  the  probability  that  no  pair  of  nodes 
sharing  a  given  key  are  within  radio  range,  and  the  potential  number  of  secure  links  established 
using  a  given  key. 

Intuitively,  if  the  number  of  nodes  A  which  share  a  given  key  is  small,  the  probability  that  one 
of  the  A  nodes  will  share  the  key  with  a  neighboring  node  will  be  very  small.  This  statement  can  be 
justified  by  estimating  the  probability  that  a  neighboring  node  shares  the  given  key.  Since  exactly 
A  of  the  N  nodes  in  the  network  hold  the  given  key,  the  probability  that  a  neighboring  node  shares 
the  key  is  approximately  jj.  Given  a  node  with  K  keys  shared  by  Ai, . . . ,  A k  nodes,  the  probability 
that  a  neighboring  node  shares  at  least  one  key  can  thus  be  estimated  as 

Pr[at  least  one  key  shared]  =  1  —  ^1  —  x  •  •  •  x  ^1  —  •  (4.1) 

Furthermore,  if  A  is  small  and  the  area  within  the  radio  range  of  a  node  is  significantly  less  than 
the  deployment  area  of  the  network,  the  probability  that  a  key  shared  by  A  nodes  will  not  be  used 
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to  establish  a  secure  link,  referred  to  as  the  key  wastage  probability,  will  be  large.  This  statement 
can  be  similarly  justified  by  estimating  the  key  wastage  probability  as  follows.  Assuming  the  sensor 
nodes  are  randomly  distributed  over  a  region  A ,  the  probability  that  a  given  pair  of  nodes  are  not 
within  a  distance  r  is  given  by 


nr  =  1  — 


nr 

\A\ 

The  key  wastage  probability  w( A)  can  be  estimated  as 


u>(A) 


n. 


\A\) 


G) 


(4.2) 


(4.3) 


noting  that  equality  does  not  hold  because  the  (^)  events  are  not  independent.  Hence,  the  key 
wastage  probability  decreases  exponentially  in  A,  and  a  key  shared  by  a  small  number  of  nodes  A 
will  be  unused  with  high  probability. 

If  the  number  of  nodes  A  which  share  a  given  key  is  large,  the  number  of  secure  links  established 
using  the  key  is  potentially  large.  An  adversary  with  the  key  can  thus  compromise  a  large  number 
of  secure  links.  This  statement  can  be  similarly  justified  by  estimating  the  number  of  secure  links 
which  can  be  established  using  the  given  key.  Given  A  nodes  that  share  the  key,  there  can  be  as 
many  as  (2)  secure  links  formed  using  the  given  key,  increasing  quadratically  in  A. 

Quantifying  the  above  metrics  as  a  function  of  A  also  allows  for  the  worst-case  analysis  with 
respect  to  each  metric.  Let  V{\)  denote  the  probability  that  a  given  key  is  shared  by  A  nodes  and 
7~L(X)  =  PV( A)  denote  the  expected  number  of  keys  shared  by  exactly  A  nodes,  where  P  is  the 
total  number  of  keys.  V  and  T~L  thus  denote  the  probability  distribution  and  expected  histogram  of 
A,  respectively.  The  expected  worst-case  for  each  metric  can  thus  be  quantified  as  a  function  of  the 
expected  histogram  7~L. 

The  expected  worst-case  probability  of  sharing  keys  and  key  wastage  probability  can  be  com¬ 
puted  as  a  function  of  A min,  defined  as  the  minimum  A  such  that  P(X)  >  1.  The  expected 
worst-case  number  of  compromised  links  can  similarly  be  computed  as  a  function  of  Xmax,  defined 
as  the  maximum  A  such  that  'H(X)  >  1.  The  deviation  of  each  metric  due  to  variation  in  A  can 
thus  be  quantified  by  comparing  the  values  at  Xrnin  and  Xmax  to  that  at  the  average  value  /x  of  the 
distribution  V. 

As  an  example,  the  above  metrics  are  evaluated  for  the  random  key  predistribution  scheme 
of  [4],  In  this  scheme,  each  node  is  assigned  a  random  subset  of  K  keys  from  a  pool  of  K  keys. 
When  a  subset  of  K  keys  is  selected  for  one  node,  a  particular  key  is  selected  with  probability  -p, 
which  can  be  modeled  as  a  Bernoulli  random  variable.  Hence,  the  probability  distribution  V(X)  is 
the  binomial  distribution  B(N,  -p)  such  that  V(X)  is  given  by 


V(X)  = 


N 


(f 


1  - 


K 

~P 


N- A 


(4.4) 


with  average  value  /x  =  -jr~,  and  the  values  of  the  histogram  V.  are  given  by 


H(  A)  =  P 


N 


N—\ 


(4.5) 


The  following  example  illustrates  the  effect  of  this  binomial  distribution  on  the  metrics  of  interest. 
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Histogram  of  X  for  scheme  of  Eschenauer  and  Gligor  Histogram  of  X  for  scheme  of  Eschenauer  and  Gligor 


(a)  (b) 

Figure  4.1:  The  expected  histogram  'H(X),  representing  the  number  of  keys  shared  by  exactly  A  nodes,  is  illustrated 
for  Example  1  with  vertical  axis  in  (a)  linear  scale  and  (b)  logarithmic  scale. 


Example  1  Let  a  WSN  of  N  =  10, 000  nodes  be  assigned  keys  according  to  the  key  predistribution 
scheme  of  [4]  with  K  =  200  and  P  =  102, 881,  where  P  is  chosen  to  guarantee  network  connectivity 
with  probability  0.999  for  an  average  of  d  =  50  nodes  within  radio  range.  The  average  number 
of  nodes  sharing  a  given  key  is  fi  =  ^-LL  =  1Cp^04i°0  ~  20.  The  expected  histogram  Ti  and  the 
simulated  histogram  are  provided  in  Figure  4-1.  For  the  given  parameters,  the  condition  H(X)  >  1 
is  satisfied  for  all  A  between  Xmin  =  4  and  Xmax  =  40. 

The  variation  in  the  probability  of  sharing  keys  is  quantified  by  computing  the  probability  given  in 
(4-1)  for  Ai, . . . ,  A k  all  equal  to  the  values  A mjn,  ji,  and  Xmax,  yielding  0.0769,  0.3224,  and  0.5514, 
respectively.  The  expected  worst-case  probability  of  sharing  keys  can  alternatively  be  defined  as  a 
function  of  the  K  smallest  values  A^]n, . . . ,  X^Jn  which  occur  according  to  the  expected  histogram 

n. 

The  variation  in  the  key  wastage  probability  is  quantified  by  computing  the  probability  given  in 
(4-3).  Since  the  network  is  randomly  deployed,  the  quantity  ^  is  approximately  equal  to  jj  =  0.005. 
Hence,  the  key  wastage  probability  for  the  values  X min,  /i,  and  Xmax  is  equal  to  0.9704,  0.3858,  and 
0.0200,  respectively. 

The  variation  in  the  number  of  potential  compromised  links  is  similarly  computed  for  the  values 
Xmin,  l-1,  and  Xmax,  yielding  6,  190,  and  780  links,  respectively. 
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4.3.2  Problem  Statement 


Example  1  shows  that  the  use  of  random  key  predistribution  [4]  induces  a  binomial  distribution 
B(N .  -p-)  on  the  number  of  nodes  which  share  each  key.  As  demonstrated,  the  induced  distribution 
can  lead  to  undesirable  tail-effects  related  to  the  keys  which  are  shared  by  very  few  or  very  many 
nodes  in  the  WSN.  The  natural  question  which  arises  is  whether  key  predistribution  schemes 
can  be  designed  to  induce  other  distributions  which  do  not  suffer  from  the  undesirable  tail-effects. 
Moreover,  the  secondary  question  which  arises  is  whether  it  is  possible  to  design  universal  algorithms 
for  key  assignment  which  can  be  used  to  realize  a  wide  variety  of  distributions,  leading  to  a  general 
class  of  application-dependent  key  predistribution  schemes.  To  the  best  of  our  knowledge,  there 
are  no  existing  key  predistribution  schemes  which  can  address  these  questions.  In  fact,  any  scheme 
derived  from  random  key  predistribution  [4]  results  in  the  same  binomial  distribution  and  tail-effects 
as  in  Example  1. 

Hence,  we  aim  to  characterize  the  distribution  on  the  number  of  nodes  sharing  each  key  and  the 
algorithms  which  can  be  used  to  assign  keys  to  nodes  in  the  WSN.  The  goal  of  this  characterization  is 
to  decouple  the  distribution  from  the  algorithm  used  to  assign  keys,  leading  to  a  class  of  algorithms 
which  can  be  used  to  realize  a  wide  variety  of  distributions  which  avoid  undesirable  tail-effects, 
thus  addressing  both  of  the  questions  of  interest. 


4.4  Network  and  Security  Models 

In  this  section,  we  state  our  models  and  assumptions  about  the  capabilities  of  adversaries  and  the 
deployment  of  the  sensor  network. 

4.4.1  Adversarial  Model 

We  assume  that  adversaries  are  able  to  eavesdrop  and  record  transmissions  throughout  the  WSN. 
Furthermore,  we  assume  that  adversaries  are  able  to  physically  capture  sensor  nodes  and  access 
all  information  stored  within  them.  We  are  primarily  concerned  with  adversaries  attempting  to 
capture  a  sufficient  number  of  nodes  to  compromise  a  given  fraction  of  the  secure  links  in  the 
WSN.  Hence,  we  do  not  consider  attacks  on  other  network  protocols  (e.g.  node  replication,  sleep 
deprivation  attacks,  wormhole  attacks,  etc.).  We  assume  that  the  adversary  can  capture  sensor 
nodes  in  any  part  of  the  network,  and  we  further  assume,  as  in  many  recently  published  works 
(e.g.  [4, 11])  that  the  captured  nodes  are  chosen  randomly  and  independently. 

4.4.2  Network  Model 

Each  sensor  is  assumed  to  be  equipped  with  an  omni-directional  radio  with  fixed  communication 
range  r.1  Furthermore,  a  pair  of  nodes  that  are  within  distance  r  can  establish  a  secure  link  only 
if  sufficient  assigned  keys  are  shared  between  them.  The  wireless  network  is  made  up  of  N  sensor 
nodes  deployed  randomly  (uniformly)  over  a  region  ACM2,  and  the  resulting  location  of  node  i  is 
given  by  Xi  €  A  for  i  =  1, . . . ,  N .  The  connectivity  of  the  resulting  secure  WSN  is  determined  with 
respect  to  Definition  11  as  follows. 

1Due  to  the  use  of  spatial  statistics,  the  area  covered  by  the  radio  range  of  a  node  need  not  be  circular.  Hence, 
this  assumption  is  only  necessary  to  guarantee  bi-directional  communication  between  sensor  nodes. 
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Definition  11  The  connectivity  k(G)  of  a  graph  G  is  defined  as  the  minimum  number  of  vertices 
which  leave  a  disconnected  graph  when  removed.  A  graph  G  with  k(G)  >  k  is  said  to  be  ^-connected. 

A  geometric  random  graph  [15,16]  as  given  by  Definition  12  below  is  used  to  model  the  physical 
radio  restrictions  on  the  nodes  of  the  sensor  network.  Furthermore,  the  shared-key  relation  between 
sensor  nodes  is  modeled  using  a  logical  graph  as  given  by  Definition  13.  The  combination  of  the 
geometric  random  graph  and  the  logical  graph  yields  a  graph  theoretical  model  for  the  secure  WSN 
in  the  form  of  the  restricted  network  graph  as  given  by  Definition  14. 

Definition  12  A  (Euclidean)  geometric  random  graph  Gg(N,A,r)  is  the  result  of  random  distri¬ 
bution  of  N  vertices  in  the  region  A  such  that  a  pair  of  vertices  i  and  j  are  adjacent  if  and  only  if 
the  ( Euclidean )  distance  between  them  is  no  more  than  r. 

Definition  13  A  logical  graph  Gl{N,1Z)  models  a  logical  relationship  between  each  pair  of  sensors 
such  that  a  pair  of  nodes  i  and  j  are  adjacent  if  and  only  if  the  pairwise  relation  1Z  is  satisfied. 

Definition  14  The  restricted  network  graph  G(N,  A,  r,  TV)  represents  a  WSN  of  N  nodes  deployed 
over  a  region  A  such  that  sensors  i  and  j  can  communicate  if  and  only  if  they  are  within  distance 
r  and  the  relation  1Z  is  satisfied.  The  graph  G  is  given  by  the  edge-wise  intersection  of  a  geometric 
random  graph  Gg(N,A,r)  and  a  logical  graph  Gl(N,  TV). 

We  provide  the  following  results  relating  to  the  node  degree  and  the  connectivity  of  the  restricted 
network  graph.  Theorem  9  provides  a  probabilistic  connectivity  model  which  can  be  used  to  provide 
parameters  to  yield  sufficient  network  connectivity  with  a  desired  probability. 


Lemma  5  Given  a  node  u  with  degree  D  in  the  logical  graph  Gl{N,TV),  the  probability  Pr[du  >  k] 
that  u  has  degree  at  least  k  in  the  graph  G(N,  A,  r,  1Z)  is  given  by 


Pr[iu>k]  = 


i= 0 


V. 


Proof  19  The  vertex  density  of  the  geometric  random  graph  Gg(N,A,r)  is  given  by  '  =  l3r-  The 
vertices  are  distributed  according  to  a  two-dimensional  Poisson  point  process  with  rate  p,  so  the 
probability  distribution  of  the  number  of  nodes  within  distance  r  of  a  node  is  a  Poisson  distribution 
[If].  Hence,  the  probability  that  the  degree  dg  of  a  node  is  at  least  k  in  Gg(N,A,r)  is  given  by 


Pr[dg  >  k]  =  1  -  e~pnr2  J2  (4.6) 

*= o  l- 

Given  that  a  vertex  u  has  degree  D  in  Gl(N,1Z),  du  is  at  least  k  in  G(N,  A,r,lZ)  if  and  only  if 
at  least  k  of  the  D  neighbors  in  Gl{N,TV)  are  within  distance  r  of  u.  Since  the  neighbors  of  u  in 


129 


Figure  4.2:  The  radio  range  of  a  node  in  the  WSN  required  for  a  connected  network  increases  when  considering 
only  neighboring  nodes  which  share  keys. 


Gl(N,TZ)  are  determined  independently  of  the  neighbors  of  u  in  Gg(N,A,r),  the  neighbors  of  u  in 
G(N,A,r,TZ)  are  uniformly  distributed  in  the  region  A.  Hence,  the  neighbors  of  u  in  Gl{N,TZ) 
form  a  geometric  random  graph  Gg(D  +  \,A,r),  represented  by  a  Poisson  point  process  with  rate 
=  p^r~-  Hence,  replacing  p  by  p— in  (4-6)  completes  the  proof. 

As  suggested  in  the  proof  of  Lemma  5,  a  decrease  in  the  density  of  a  geometric  random  graph 
requires  an  increase  in  the  radio  range  r  in  order  to  guarantee  that  the  degree  du  of  a  node  u  in 
the  graph  Gl(N,1Z)  is  sufficiently  high.  This  increase  in  radio  range  is  illustrated  in  Figure  4.2. 
In  what  follows,  we  prove  that  the  probability  given  by  Lemma  5  is  independent  for  every  pair  of 
nodes. 

Lemma  6  In  a  geometric  random  graph  Gg(N,A,r),  the  probability  that  each  of  a  pair  of  nodes 
has  degree  at  least  k  is  independent,  i.e.  for  nodes  u  and  v 

Pr[du  >  k,  dv  >  k\  =  Pr[du  >  k]Pr[dv  >  k]. 

Proof  20  Let  du\v  denote  the  number  of  nodes  in  the  region  Ru\v  that  is  within  radius  r  of  node  u 
but  not  within  radius  r  of  node  v.  Similarly,  let  dUjV  denote  the  number  of  nodes  in  the  region  Ru.v 
that  is  within  radius  r  of  both  u  and  v.  The  joint  probability  Pr[du  >  k,  dv  >  k ]  can  be  decomposed 
as 

Pr[du  >  k,  dv  >  k\  =  Pr[du  >  k\dv  =  i\Pr[dv  =  i] 

i>k 

=  Y,  I  1  -  ^2  Prid^  =  d\dv  =  i\  J  Pr[dv  =  i\.  (4.7) 

i>k  \  j<k  J 
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Noting  that  i  >  j  in  (4-7),  the  probability  Pr[du  =  j\dv  =  i]  can  be  expressed  as 


Pr[du  =  j\dy 


YJPr[du=j\dv  =  i,  dU)V  =  n]Pr[dU)V  =  n } 

n= 0 

j 

Y,  Pr[du\v  =  j  -  n\dv  =  i,  dU)V  =  n\Pr[dU)V  =  n] 

n= 0 

j 

y  Pr[du\v  =  j  -  n\Pr[du>v  =  n } 

e~P\Ru\v\  r-p\Ru.v\  ( P\RU,v\)n 


n= 0 

j 

=  Le 

n= 0 


(. j  ~  n)\ 


n\ 


]'■  “  \U 

=  e-„Aj^X  =  Pr[du  =  jl 


J 


7'l 


(4.8) 

(4.9) 

(4.10) 

(4.11) 

(4.12) 

(4.13) 


Under  the  spatial  Poisson  point  process  model,  the  number  of  points  which  appear  in  disjoint  regions 
of  A  are  independently  distributed.  Hence,  in  the  above  formulation,  (4-10)  follows  from  the  fact 
that  the  region  Ru\v  is  disjoint  from  both  the  region  RU)V  and  the  region  within  radio  range  r  of  node 
v.  The  Poisson  process  model  further  allows  substitution  of  the  identically  distributed  probabilities 
in  (4-11)-  Equation  (4-12)  follows  by  substituting  |-RU\„|  =  vr r2  —  \RU,V\  and  collecting  terms,  and 
(4-13)  is  obtained  by  applying  the  binomial  theorem  and  again  using  the  properties  of  the  Poisson 
point  process.  Substituting  (4-13)  into  (4-7)  completes  the  proof. 


Theorem  9  The  restricted  network  graph  G(N,  A ,  r,  TV)  resulting  from  the  edge-wise  intersection 
of  a  logical  graph  Gl(N,  TV)  with  average  node  degree  D  and  a  geometric  random  graph  Gg(N,A,r) 
with  node  density  p  =  -^  is  k-connected  with  probability  Po{k)  given  by 


PG(k)=(l-e-^r2y^ 


D+ 1 _ .2 \i 


N 


N 


irr 


i= 0 


Proof  21  Applying  Lemma  6  to  each  geometric  random  graph  on  ( D  +  1)  nodes  with  density 


P  = 


_  D+ 1 


as  in  Lemma  5,  the  minimum  node  degree  dmin  in  the  graph  G{N,A,r,TV)  is  given  by 


Pr [dmin  >  k]  =  Pr[d\  >  k, . . . ,  d^  >  k]  =  Pr[d  >  k]N .  (4-14) 


As  r  increases,  a  geometric  random  graph  becomes  k-connected,  asymptotically,  as  soon  as  the 
minimum  vertex  degree  is  k  with  high  probability  [15].  Hence,  the  probability  of  connectivity  is 
given  by  PG(k)  =  Pr[dmin  >  k]  =  Pr[d  >  k]N . 
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Theorem  9  provides  the  model  for  probabilistic  fc-connectivity  used  throughout  this  chapter. 
Several  works  on  key  predistribution  have  used  a  connectivity  model  based  on  the  assumption  that 
the  underlying  logical  graph  is  given  by  a  random  graph  with  independent  edge  probability  p.  In 
Corollary  3,  we  show  that  this  random  graph  model  can  be  approximated  by  a  special  case  of  the 
model  given  by  Theorem  9. 

Corollary  3  If  Gl(N,1Z)  is  a  random  graph  with  independent  edge  probability  p,  the  probability 
Pc  ( 1 )  given  by  Theorem  9  can  be  approximated  by  the  result  given  in  [4]. 


Proof  22  The  average  vertex  degree  in  a  random  graph  on  N  vertices  with  independent  edge  prob¬ 
ability  p  is  given  by  D  =  p(N  —  1)  ,  so  Theorem  9  yields  a  connectivity  probability  of 


,  p(N- 1)  +  1  2 

PG(  l)=ll-e-‘>—*—*r 


N 


—Ne~ 


p(N- 1)  +  1  2 

- Jp - nr 


-Ne~ppnr 


(4.15) 


from  the  approximation  1  —  x  pc  e  x  for  |.x|  <C  1  and  noting  that  pl'N ^+1  ~  p  for  N  2>  1.  The 
probability  of  connectivity  stated  in  [4]  using  the  random  graph  approach  can  be  expressed  as 


Pr  =  e 


—Ne 


—Ne~pp7rr 


(4.16) 


by  noting  that  -j^c[p(pirr2  —  1)  «  ppirr2  since  jJcj  ~  1  and  p  <C  1.  Hence,  the  connectivity 
probabilities  Pc{  1)  and  Pc  are  approximately  equal  for  all  practical  purposes. 


4.5  Key  Assignment  for  Key  Predistribution 

In  this  section,  we  provide  a  canonical  key  assignment  model  for  key  predistribution.  We  discuss 
the  assignment  of  keys  to  nodes  in  a  WSN  and  the  properties  of  such  key  assignment  in  terms  of  a 
bipartite  graph  process.  Based  on  the  graph  theoretic  interpretation  of  key  assignment,  we  derive 
the  canonical  key  assignment  model  and  discuss  the  properties  of  the  model.  Based  on  the  graph 
theoretical  interpretation,  we  propose  a  sampling  framework  for  key  assignment  in  the  canonical 
model  which  decomposes  the  space  of  key  assignment  algorithms  into  four  classes.  Finally,  we 
propose  a  key  assignment  algorithm  for  each  of  the  four  classes. 

4.5.1  Proposed  Approach 

The  assignment  of  keys  to  the  nodes  of  a  WSN  can  be  seen  as  a  process  on  a  bipartite  graph  g  with 
vertex  set  V(g)  =  Af  U  /C  where  the  set  A f  represents  the  set  of  N  nodes  and  the  set  K,  represents 
the  set  of  P  keys.  An  edge  (n,  k)  in  the  edge-set  E(g )  C  Af  x  K,  represents  the  assignment  of  the 
key  k  to  the  node  n.  Figure  4.3  illustrates  the  use  of  a  bipartite  graph  g  for  the  assignment  of  keys 
to  nodes  in  the  WSN. 

For  such  a  bipartite  graph  g,  we  can  describe  the  edge-set  E(g)  in  terms  of  the  degree  deg(n )  of 
each  vertex  n  €  Af  and  the  degree  deg(k)  of  each  vertex  k  €  1C.  Similarly,  the  assignment  of  keys 
to  nodes  can  be  described  in  terms  of  the  number  of  keys  assigned  to  each  node  and  the  number 
of  nodes  which  share  each  key.  We  assume  that  every  node  receives  exactly  K  keys,  corresponding 
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yl/-  k 


Figure  4.3:  Bipartite  graph  g  representing  the  assignment  of  keys  to  nodes  in  the  WSN. 


to  deg(n )  =  I\  for  all  n  €  Af,  so  the  number  of  edges  in  g  is  \E(g)\  =  NK.  Hence,  we  can  describe 
key  assignment  in  terms  of  the  degrees  deg(k )  for  k  €  K.  which  result  from  the  assignment  of  keys 
to  nodes  in  the  WSN.  Specifically,  we  are  interested  in  the  probability  Pr  [ deg(k )  =  A]  that  a  key 
k  is  assigned  to  exactly  A  nodes  in  the  network. 

If  a  desired  probability  distribution  Pr  [ deg(k )  =  A] ,  A  =  0, . . . , IV,  on  the  set  /C  is  given,  a 
graph  algorithm  is  required  in  order  to  construct  the  graph  g  such  that  the  distribution  is  realized. 
However,  due  to  the  restriction  that  every  vertex  in  Af  must  have  degree  K ,  such  algorithms  may 
not  exist  for  all  values  of  N  and  K.  An  example  which  illustrates  this  fact  for  combinatorial  design 
based  key  predistribution  schemes  is  discussed  in  [17]. 

The  graph  theoretical  interpretation  of  key  assignment  in  WSNs  is  the  basis  of  our  canonical 
key  assignment  model.  The  canonical  model  is  stated  formally  by  the  following  set  of  definitions  in 
terms  of  the  bipartite  graph  g.  Table  4.1  summarizes  the  notation  for  the  canonical  key  assignment 
model  in  WSNs  in  terms  of  the  graph  theoretical  interpretation. 

4.5.2  Canonical  Key  Assignment  Model 

The  canonical  key  assignment  model  is  primarily  concerned  with  the  probability  distribution  on 
the  degrees  of  the  nodes  in  /C,  corresponding  to  the  number  of  nodes  which  share  each  key.  The 
set  of  nodes  sharing  each  key  and  the  probability  distribution  on  the  set  sizes  are  defined  formally 
in  Definition  15  and  Definition  16. 

Definition  15  The  set  S(k)  =  {n  €  Af  :  (n,  k)  €  E(g)}  of  nodes  which  are  assigned  the  key  k  €  K, 
is  the  assignment  set  of  key  k. 

Definition  16  The  discrete  probability  function  V(X)  =  Pr  [|5(fc)|  =  A]  specifying  the  probability 
that  an  assignment  set  S  contains  exactly  A  nodes  is  the  assignment  distribution.  The  support  of 
an  assignment  distribution  V  is  given  by  A  =  {A  :  V(\)  >  0}  C  {0, . . .  ,  N}. 

Given  a  desired  assignment  distribution,  an  algorithm  must  exist  which  can  realize  the  given 
distribution  on  the  set  /C.  Such  an  algorithm  is  defined  formally  in  Definition  17.  The  degree  of 
imperfection  of  a  key  assignment  algorithm  is  defined  formally  in  Definition  19. 
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Table  4.1:  The  notation  used  in  Chapter  ??  for  the  canonical  key  assignment  model  in  WSNs  is  summarized  in 
terms  of  the  graph  theoretical  interpretation. 


Bipartite  Graph  Process 

Canonical  Model 

9 

bipartite  graph 

key  assignment  in  WSN 

vis) 

vertex  set  of  g 

set  of  nodes  and  keys 

M 

vertex  partition  set  of  V ( g ) 

set  of  sensor  nodes 

N 

number  of  vertices  in  M 

number  of  nodes  in  WSN 

1C 

vertex  partition  set  of  V (g) 

set  of  keys 

P 

number  of  vertices  in  K, 

number  of  keys  assigned  in  WSN 

E(g) 

edge  set  of  g,  E(g)  C  Af  x  K 

key  assignment  to  nodes 

deg(n)  —  K 

degree  I\  of  each  vertex  n  £  M 

K  keys  assigned  to  every  node 

S{k) 

{n  :  (n,k)  £  E(g)} 

assignment  set  for  key  k 

deg{k)  =  |S(A;)| 

degree  of  vertex  k  G  K, 

number  of  nodes  in  assignment  set  S(k) 

V 

distribution  of  deg(k),  k  £  1C 

assignment  distribution 

A 

{ deg(k )  :  k  £  1C} 

support  of  assignment  distribution  V 

h 

average  vertex  degree  in  K 

mean  of  distribution  P 

Sti 

algorithm  to  construct  g 

key  assignment  algorithm 

CP,  si) 

- 

key  assignment  scheme 

d{  A,  A) 

- 

boundary  distance,  min{|A  —  v\  :  v  £  A} 

Definition  17  The  key  assignment  algorithm  si  is  used  to  realize  an  assignment  distribution  V, 
equivalently  to  construct  a  bipartite  graph  g  with  degree  distribution  V  on  1C. 

Definition  18  A  key  assignment  scheme  is  given  by  the  pair  (V,  si)  of  an  assignment  distribution 
and  a  key  assignment  algorithm. 

Definition  19  A  boundary  set  resulting  from  a  key  assignment  scheme  (V,  si)  is  an  assignment 
set  S(k )  of  size  A  ^  A.  The  boundary  distance  of  such  a  boundary  set  is  given  by  d( A, A)  = 
min{|A  —  u\  :  v  €  A}.  Boundary  sets  result  from  either  the  algorithm  si  or  the  fact  that  there 
are  only  a  finite  number  of  keys  k  €  1C  with  degree  deg(k )  distributed  according  to  V ,  referred  to 
hereafter  as  the  finite  sampling  effect. 

We  give  a  canonical  key  assignment  model  in  WSN  in  terms  of  the  above  definitions.  A  key 
assignment  scheme  (V,  si)  can  be  characterized  entirely  by  the  assignment  distribution  V  and  the 
key  assignment  algorithm  si.  The  performance  of  a  key  assignment  scheme  ( V ,  si)  can  be  described 
in  terms  of  the  assignment  distribution  V,  the  given  set  of  network  parameters,  and  the  boundary 
sets  which  result  from  the  algorithm  si  and  the  finite  sampling  effects.  The  desired  outcome  for  a 
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key  assignment  scheme  (V,  srf)  is  a  realization  of  the  assignment  distribution  V  with  no  boundary 
sets.  In  other  words,  the  histogram  representing  the  values  | {A:  €  /C  :  deg(k)  =  A}|  should  be 
approximately  equal  to  the  scaled  assignment  distribution  P  ■  V(X)  for  all  A  €  A,  and  every  node 
degree  deg(k ),  k  €  K,  will  be  a  member  of  A. 

As  illustrated  by  Example  1,  the  network  connectivity  and  resilience  to  node  capture  for  a 
key  predistribution  scheme  depend  on  the  assignment  distribution  V.  Hence,  in  order  to  discuss 
desirable  properties  and  design  an  assignment  distribution  for  a  given  application,  the  effects  of 
the  assignment  distribution  on  network  connectivity  and  resilience  to  node  capture  must  first  be 
investigated.  This  detailed  analysis  is  presented  in  Section  4.6,  and  the  design  of  assignment 
distributions  is  thereafter  discussed  in  Section  4.7. 

As  discussed  in  Section  4.3.2,  we  are  interested  in  designing  universal  key  assignment  algorithms 
which  can  be  used  to  realize  a  wide  variety  of  assignment  distributions,  depending  on  application  re¬ 
quirements.  In  order  to  address  this  problem,  we  propose  a  sampling  framework  for  key  assignment 
algorithms.  In  the  sampling  framework,  an  algorithm  can  realize  a  given  assignment  distribution 
with  minimal  occurrence  of  boundary  sets  through  repeated  sampling  of  the  assignment  distribu¬ 
tion.  Such  a  sampling  framework  ensures  that  the  analytical  characteristics  of  the  key  assignment 
scheme  depend  only  on  the  assignment  distribution  as  desired.  Hence,  in  what  follows,  the  sampling 
framework  for  key  assignment  algorithms  is  discussed  in  detail. 


4.5.3  Sampling  Framework  for  Key  Assignment  Algorithms 

In  this  section,  we  propose  a  sampling  framework  for  key  assignment  algorithms.  In  the  frame¬ 
work,  the  assignment  distribution  is  repeatedly  sampled  and  assignment  sets  are  constructed  as  a 
function  of  the  samples  of  the  assignment  distribution.  We  consider  algorithms  based  on  random 
selection  using  the  fundamental  combinatorial  methods  of  selection  with  and  without  replacement. 
Furthermore,  we  consider  algorithms  of  two  types.  The  first  type  selects  an  assignment  set  from 
Af  for  each  key  subject  to  the  constraint  that  deg(n )  =  K  for  all  n  €  A f.  The  second  type  selects 
a  subset  of  K  keys  from  /C  for  each  node  subject  to  the  constraint  that  the  values  of  deg(k)  for 
k  €  1C  are  distributed  according  to  the  assignment  distribution  V.  Hence,  the  sampling  framework 
consists  of  four  classes  of  algorithms. 

We  provide  an  example  from  each  of  the  four  classes  of  key  assignment  algorithms  in  the 
sampling  framework,  each  of  which  is  named  for  the  corresponding  class.  The  Key  Selection  with 
Replacement  (KSR)  and  Key  Selection  with  No  Replacement  (KSNR)  algorithms  are  examples 
from  the  classes  of  selection  with  and  without  replacement,  respectively,  of  subsets  of  /C.  The  Node 
Selection  with  Replacement  (NSR)  and  Node  Selection  with  No  Replacement  (NSNR)  algorithms 
are  examples  from  the  classes  of  selection  with  and  without  replacement,  respectively,  of  subsets  of 
AT.  Table  4.2  illustrates  the  four  classes  of  key  assignment  algorithms  in  the  sampling  framework 
and  classifies  each  of  the  four  algorithms.  In  what  follows,  each  algorithm  is  described  in  detail, 
and  code  and  an  illustration  are  provided  for  each  of  the  four  algorithms.  In  the  code  for  each 
algorithm,  select( X,  y )  denotes  uniform  random  selection  of  a  subset  of  y  elements  from  the  set  X, 
and  sample (V)  denotes  the  generation  of  a  sample  from  an  assignment  distribution  V. 


Key  Selection  with  Replacement  (KSR) 

The  KSR  algorithm  performs  selection  with  replacement  from  a  set  $  containing  pairs  ( k ,  A)  where 
k  €  /C  and  A  6  A  is  a  sample  of  the  assignment  distribution  V .  The  number  of  keys  P  = 
|/C|  =  |4>|  must  be  sufficient  to  provide  a  total  of  NK  edges  in  the  graph  g.  Hence,  we  require 
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Table  4.2:  The  four  classes  of  key  assignment  algorithms  in  the  sampling  framework  are  based  on  whether  the 
algorithm  is  based  on  selection  with  or  without  replacement  and  whether  the  algorithm  selects  subsets  of  K.  or 
subsets  of  Af . 


Selection  with  replacement 

Selection  without  replacement 

Subsets  of  K, 

KSR 

KSNR 

Subsets  of  A f 

NSR 

NSNR 

KSR(iV,  K,  V) 

<f>  «—  0,  j  <—  1 

while  E(fc,A)e4.  *<N-K 

$  <f>  U  {(kj ,  sample(V))} 

3^3  +  1 

end  while 

for  n  £  AT 

$o  <-  {(fe.  A)  £  $  :  A  >  0} 

E  <—  select  (4>o,  min(if,  | <E>o | )) 
if  \E\  <  K 

F  <-  select  ($\E,K  -\E\) 

E  <—  Eu  F 

end  if 

assign  {k  :  ( k ,  A)  £  E}  to  n 
(. k ,  A)  <-  ( k ,  A  -  1)  for  (fc,  A)  £  E 

end  for 

(a) 


Node  n  i 


(b) 


Figure  4.4:  The  KSR  key  assignment  algorithm  is  illustrated  (a)  in  pseudo-code  and  (b)  graphically 
with  numbered  steps:  1-  select  key  subset,  2  -  assign  keys  to  node,  3  -  decrement  A  for  each  key,  4  - 
replace  keys. 


a)£$  ^  >  NK.  Once  is  constructed,  keys  are  assigned  to  each  node  using  random  selection 
with  replacement.  For  each  of  the  N  nodes,  a  random  selection  of  K  elements  of  d>  are  selected, 
and  the  key  k  of  each  selected  pair  (k,  A)  is  assigned  to  the  node.  The  value  A  in  each  selected 
pair  (A;,  A)  is  decremented,  and  the  pair  is  replaced  back  into  $  if  A  >  0.  Thus,  as  the  algorithm 
proceeds,  |<f>|  decreases.  Near  the  termination  of  the  algorithm,  it  is  possible  that  ]C(fc  A)e4>  ^  =  K 
but  |<3>|  <  K ,  leading  to  a  case  where  no  set  of  K  unique  keys  can  be  assigned  to  a  remaining 
node.  Hence,  if  |3>|  =  K$  <  K,  the  ( K  —  Kq)  remaining  keys  must  be  selected  from  those  which 
have  already  been  removed  from  <f>.  If  any  of  the  Kq  keys  were  initially  assigned  a  sample  value  of 
A  min  =  nrin{A  G  A},  these  keys  will  correspond  to  boundary  sets  of  size  A  min  —  1.  Furthermore, 
if  any  of  the  ( K  —  Kq)  keys  selected  from  those  which  were  already  removed  from  were  initially 
assigned  a  sample  value  of  \max  =  max{A  G  A},  these  keys  will  correspond  to  boundary  sets  of 
size  A max  +  1-  Pseudo-code  for  the  KSR  algorithm  is  provided  in  Figure  4.4(a),  and  a  graphic 
illustration  is  provided  in  Figure  4.4(b). 
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<t>,  $1  <—  0,  j  <—  1 
while  E(fc,A)64.  X<N-K 
<3?  <—  $  U  {(fcj,  sample(V))} 

3  3  +  1 

end  while 

max  —  max{A  :  (k,  A)  £  4>} 
for  i  from  1  to  Xmax 
<f>o  <—  4>  \  $1 
while  |$0|  >  K 
E  <—  select^ o,  AT) 

$0  t —  $0 \ E 

assign  {A;  :  (fc,  A)  £  E}  to  next  n  £  M 
(k,  A)  <—  (fc,  A  —  1)  for  (jfe,  A)  £  A 

end  while 

$  e-  $\{(fc,A)  :  A  =  0} 
if  |$o|  >  o 

$i  <—  select  (4>  \  $o,  AT  —  |<E>o|) 
assign  { k  :  ( k ,  A)£$oU$i}  to  next  n  £  A/" 

(fc,  A)  <-  (fe,  A  —  1)  for  (fc,  A)  £  <f>0  U  $1 

end  if 
end  for 

(a) 

Figure  4.5:  The  KSNR  key  assignment  algorithm  is  illustrated  (a)  in  pseudo-code  and  (b)  graphi¬ 
cally  with  numbered  steps:  1  -  select  subset  of  keys,  2  -  assign  keys  to  node,  3  -  decrement  A  for  each 
key. 


Key  Selection  with  No  Replacement  (KSNR) 

The  KSNR  algorithm  performs  selection  without  replacement  from  a  set  $  containing  pairs  (k,  A) 
where  A;  G  /C  and  A  €  A  is  a  sample  of  the  assignment  distribution  V .  The  number  of  keys 
P  =  |/C|  =  | <3? |  must  be  sufficient  to  provide  a  total  of  N K  edges  in  the  graph  g.  Hence,  we  require 
a)£$  ^  ^  NK.  Once  is  constructed,  keys  are  assigned  to  each  node  using  random  selection 
without  replacement  in  a  total  of  A max  =  nrax{A  €  A}  rounds.  In  a  single  round,  which  continues 
as  long  as  is  non-empty,  a  random  subset  of  K  pairs  (k,  A)  in  $  is  selected  without  replacement 
for  each  subsequent  node,  and  the  value  A  in  each  selected  pair  is  decremented.  Pairs  ( k ,  A)  such 
that  A  =  0  are  permanently  removed  from  $  for  all  subsequent  rounds,  so  the  initial  size  of  $ 
can  decrease  in  every  subsequent  round.  In  a  given  round,  if  K  is  not  a  factor  of  |3>|,  there  will 
be  K0  <  K  keys  remaining  for  the  last  node  of  the  round.  These  K$  keys  can  be  combined  with 
a  random  selection  of  ( K  —  Kq)  keys  which  have  not  been  permanently  removed  from  <1?.  The 
( K  —  Kq)  selected  pairs  will  then  be  excluded  from  the  subsequent  round  of  the  algorithm.  If  this 
occurs  in  the  Kth  round,  any  of  the  ( K  —  Kq)  selected  keys  which  were  initially  assigned  a  sample 
value  of  Xmax  =  max{A  G  A}  will  yield  a  boundary  set  of  size  Xmax  +  1.  Pseudo-code  for  the  KSNR 
algorithm  is  provided  in  Figure  4.5(a),  and  a  graphic  illustration  is  provided  in  Figure  4.5(b). 

Node  Selection  with  Replacement  (NSR) 

The  NSR  algorithm  performs  selection  with  replacement  from  a  set  $  containing  pairs  (n,  c)  where 
n  G  AT  and  c  >  0  counts  the  number  of  keys  assigned  to  node  n.  For  each  key,  a  sample  A  is 
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<3?  <—  {(n,  0):n£  A f} 
while  |$|  >  0 
A  <—  sample( V) 

S  <—  select  (4>,  min(A,  |4>|)) 
assign  next  k  £  K,  to  {n  :  (n,  c)  £  S'} 
(n,  c)  <—  (n,  c  +  1)  for  (n,  c)  £  S 
$  £-  4>\{(n,c)  £  S  :  c  =  A'} 
end  while 


(a) 


(b) 


Figure  4.6:  The  NSR  key  assignment  algorithm  is  illustrated  (a)  in  pseudo-code  and  (b)  graphically 
with  numbered  steps:  1  -  select  subset  of  nodes,  2  -  assign  key  to  nodes,  3  -  increment  c  for  each 
node,  4  -  replace  nodes. 


generated  from  the  assignment  distribution  V,  and  a  set  of  A  pairs  (n,  c)  are  selected  from  4>.  The 
assignment  set  for  the  given  key  is  composed  of  the  n  entries  in  the  A  selected  pairs.  Each  time 
a  pair  (n,  c)  is  selected,  the  counter  c  is  incremented,  and  the  pair  is  replaced  back  into  4>  only  if 
c  <  K.  Hence,  |4>|  decreases  as  the  algorithm  proceeds.  As  soon  as  |<h|  <  \max  =  max{A  €  A}, 
it  is  possible  for  the  sampled  value  of  A  to  be  less  than  |$|,  so  the  entire  set  4>  is  selected.  If 
|4>|  <  A min  =  min{A  G  A},  this  will  lead  to  boundary  sets  which  vary  in  size  between  1  and 
A  min  —  1-  In  simulation,  a  majority  of  the  boundary  sets  which  occur  have  size  much  smaller  than 
Amin  —  1  •  Pseudo-code  for  the  NSR  algorithm  is  provided  in  Figure  4.6(a),  and  a  graphic  illustration 
is  provided  in  Figure  4.6(b). 


Node  Selection  with  No  Replacement  (NSNR) 

The  NSNR  algorithm  performs  selection  without  replacement  from  the  set  4>,  initially  equal  to  A f. 
Assignment  sets  are  generated  using  random  selection  without  replacement  in  a  total  of  K  rounds. 
In  a  single  round,  which  continues  as  long  as  4>  is  non-empty,  a  sample  A  is  generated  from  the 
assignment  distribution  V,  a  set  of  A  nodes  in  4>  is  selected  for  each  subsequent  key,  and  the  key  is 
assigned  to  the  selected  nodes.  If  the  sample  A  is  such  that  |<h|  <  A,  the  key  is  assigned  to  the  14*1 
remaining  nodes  and  a  random  selection  of  (A  —  |4>|)  other  nodes  which  are  then  removed  from  the 
subsequent  round.  In  the  Kth  round,  since  we  do  not  want  to  assign  (K  +  1)  keys  to  any  node,  the 
final  key  may  be  assigned  to  less  than  A min  =  min{A  G  A}  nodes,  resulting  in  a  single  boundary  set 
of  size  between  1  and  A min  ~  1-  We  note  that  if  A  =  {A}  and  A  is  a  factor  of  N,  the  NSNR  algorithm 
will  not  yield  boundary  sets,  and  the  result  of  the  algorithm  is  equivalent  to  a  deterministic  key 
assignment  algorithm  similar  to  those  of  [17,18].  Pseudo-code  for  the  NSNR  algorithm  is  provided 
in  Figure  4.7(a),  and  a  graphic  illustration  is  provided  in  Figure  4.7(b). 

The  algorithms  proposed  herein  yield  a  result  that  is  essentially  similar.  The  primary  differences 
are  the  behavior  of  the  boundary  sets  which  result  and  their  computational  cost.  Though  these 
sets  occur  non-deterministically,  their  general  behavior  can  be  characterized.  Furthermore,  there 
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4>i  0 

for  i  from  1  to  K 
<t>  <-  N  \  $1 
while  |<f>|  >  0 
A  <—  sample( V) 

S  <—  select  (4>,  min(A,  |<t>|)) 
if  |  S'!  <  A  and  i  <  I< 

<f>i  <-  select  (Af  \  S,  X  -  \S\) 

S(-SU$1 
end  if 

assign  next  k  £  K.  to  {n  £  S} 

$  <-  $\S 

end  while 
end  for 

(a) 

Figure  4.7:  The  NSNR  key  assignment  algorithm  is  illustrated  (a)  in  pseudo-code  and  (b)  graphically 
with  numbered  steps:  1  -  select  subset  of  nodes,  2  -  assign  key  to  nodes. 

tends  to  be  a  trade-off  between  the  computational  cost  of  an  algorithm  and  the  resulting  boundary 
distance,  in  that  the  boundary  distance  can  be  decreased  at  the  expense  of  increased  computation. 
Hence,  the  choice  of  algorithm  may  depend  on  the  desired  boundary  distance  tolerance  and  the 
allowable  computational  cost. 

4.6  Analysis  of  Key  Assignment  Schemes 

In  this  section,  we  provide  general  analysis  for  a  key  assignment  scheme  (V,  &/)  assuming  the  im¬ 
pact  of  any  boundary  sets  is  negligible.  We  compute  the  probability  that  a  pair  of  nodes  share  a 
given  number  of  keys,  the  probability  of  network  connectivity,  and  the  resilience  to  node  capture. 
Each  of  the  quantities  is  provided  in  such  a  way  that  the  worst  case  with  respect  to  the  assignment 
distribution  V  can  be  easily  determined.  Furthermore,  the  average  case  is  computed  for  each  quan¬ 
tity  with  respect  to  the  assignment  distribution  V.  The  average  case  is  most  helpful  in  determining 
sufficiency  of  network  parameters,  while  the  worst  case  is  most  helpful  in  determining  whether  a 
given  set  of  parameters  will  result  in  undesirable  tail-effects  as  discussed  in  Section  4.3.1. 

4.6.1  Probability  of  Sharing  Keys 

The  average  and  worst-case  analysis  of  a  key  predistribution  scheme  can  be  performed  with  respect 
to  the  probability  that  a  pair  of  nodes  share  any  number  of  keys.  In  addition  to  performance 
analysis,  this  probability  is  important  for  various  applications  based  on  local  connectivity  properties. 
For  example,  the  (/-composite  scheme  of  [19]  requires  a  pair  of  nodes  to  share  at  least  q  keys  for 
some  q  >  1.  We  compute  the  probability  ps{i)  that  a  pair  of  nodes  share  exactly  i  keys  as  a  function 
of  the  assignment  set  sizes  A  corresponding  to  the  keys  in  each  node.  We  then  compute  the  average 
probability  taken  over  the  assignment  distribution  V. 
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Lemma  7  A  node  u  containing  a  key  k,  such  that  A  =  |£(A;)|  is  known,  will  share  k  with  a  node 
v  with  probability  p\  =  • 

Proof  23  Given  a  node  u  containing  k,  exactly  (A  —  1)  of  the  remaining  ( N  —  1)  nodes  contain  k. 
Hence,  the  probability  that  v  is  one  of  these  (A  —  1)  nodes  is 


Theorem  10  A  node  u  containing  keys  k\,, . . ,  kx,  such  that  A  j  =  |  S'  ( /cj )  |  for  j  =  1  are 

known,  will  share  exactly  i  keys  with  a  node  v  with  probability  ps{i,  Ai, . . . ,  A k)  given  by 

K 


y  1 

N-  1 


n 


N  -  1 


if  \j= 1  j=i+ 1 

where  the  summation  is  over  all  permutations  it  =  (it\,  . . . ,  ttk)  of  (1, ,  K). 


Proof  24  The  event  that  v  shares  kj  with  u  can  be  modeled  as  a  Bernoulli  trial  with  success 
probability  p\}  given  by  Lemma  7.  Since  the  assignment  sets  are  chosen  independently,  the  K 
events  are  independent.  Hence,  the  number  of  events  i  which  occur  is  given  by  the  sum  of  the  K 
independent  Bernoulli  random  variables.  The  probability  that  exactly  i  of  the  K  events  occur  is 
given  by  the  sum  over  all  possible  choices  of  i  of  the  K  events.  For  a  given  choice  of  i  events,  the 
contribution  to  the  overall  probability  is  the  product  of  p\j  for  the  i  events  which  occur  midtiplied 
by  the  product  of  1  —  p\j  for  the  ( K  —  i)  events  which  do  not  occur.  The  term  is  added  to 

compensate  for  the  i\(K  —  z)!  permutations  which  result  in  the  same  choice  of  i  events. 


Theorem  11  A  node  u  will  share  exactly  i  keys  with  a  node  v  with  probability  ps(i)  given  by 

K-i 


Ps{i)  = 


h  -  1 
N  -  1 


N-n 
N  -  1 


where  p  is  the  average  assignment  set  size  according  to  the  assignment  distribution  V . 


Proof  25  The  probability  ps(i)  can  be  computed  by  taking  the  expected  value  of  the  probability 
ps(i,  Ai, . . . ,  A k)  given  in  Theorem  10  with  respect  to  the  set  of  samples  X\, . . . ,  A k-  Hence,  letting 
£[-\  represent  this  expected  value,  ps(i )  is  given  by 


Ps(i )  =  £ 


— - — v 

i!(A  —  z)!  z-"' 


y  1 

N  —  1 


K 


n 

j=i+ 1 


N  -  A 


N  —  1 


(4.17) 


Since  the  samples  A  j  are  independent,  this  is  equivalent  to  taking  the  expected  value  with  respect 
to  each  A  j .  Moving  the  expected  value  within  the  summation  and  using  the  independence  of  the  A  j 
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yields 


Ps{i)  =  - 


i\(K  —  i)\ 


sEin^» 


U  =  1 


N  —  1 


K 

n 

j=i+i 


N-£nj[Xnj\ 
N  -  1 


(4.18) 


Identical  distribution  of  the  X j  suggests  that  each  £nj  [A^.]  is  equal  to  the  mean  ji  of  the  assignment 
distribution  V.  The  product  terms  are  thus  independent  of  the  index  j,  and  the  summands  are 


independent  of  the  permutation  it,  so  the  sum- of -products  form  is  replaced  by  a  single  product  of 
powers  with  coefficient  -  Replacing  this  coefficient  with  (7))  completes  the  proof. 

Theorem  10  and  Theorem  11  are  useful  in  respectively  determining  the  worst-case  and  average 
probability  of  sharing  keys.  Theorem  10  is  particularly  applicable  to  the  worst-case  analysis  in  that 
it  can  be  used  to  compute  the  worst-case  probability  of  sharing  keys  regardless  of  how  the  worst  case 
is  defined.  For  example,  the  designer  of  the  key  predistribution  scheme  can  design  an  assignment 
distribution  based  on  a  given  tolerance  to  one  minimal  A  value  by  bounding  the  probability  1  — 
ps{0,  Xmin,  //, . . . ,  n).  The  designer  can  similarly  design  the  key  predistribution  scheme  based  on 
the  expected  worst-case  probability  by  bounding  the  probability  1  —  ps( 0,  A^]n, . . . ,  A^Jj  where 
Amin  •  •  •  >  ^rmn  are  order  statistics  similar  to  those  discussed  in  Section  4.3.1. 


4.6.2  Network  Connectivity 

The  probability  of  connectivity  of  the  secure  WSN  is  given  by  Theorem  9  in  Section  4.4.2  as  a 
function  of  the  expected  node  degree  D  in  the  logical  graph  Gl( N,IZ).  For  simplicity,  we  assume 
the  relation  IZ  is  true  if  and  only  if  the  given  pair  of  nodes  share  at  least  one  key.  Similar  results 
can  be  derived  for  the  modified  relations  of  schemes  such  as  the  (/-composite  scheme  [19] 

We  note  that  there  are  two  forms  of  randomness  present  in  a  key  assignment  algorithm.  The 
number  of  nodes  A  is  sampled  randomly  from  the  assignment  distribution  V,  and  the  assignment  set 
of  A  nodes  is  selected  randomly.  We  first  compute  the  expected  degree  d(u)  of  a  node  u  assuming 
the  sizes  Ai, . . . ,  A k  of  the  K  assignment  sets  corresponding  to  the  keys  stored  in  node  u  are  fixed 
and  known.  This  computation  is  performed  using  a  combinatorial  occupancy  problem  in  which 
each  pair  (u,v),  for  v  €  Af\  {u},  is  represented  by  a  bin  and  a  shared  key  between  nodes  u  and  v 
is  represented  by  a  ball  in  the  bin  representing  the  pair  (u,v).  The  assignment  of  a  key  kj  to  node 
u  and  (Xj  —  1)  of  the  (N  —  1)  other  nodes  thus  corresponds  to  placing  one  ball  in  each  of  (A j  —  1) 
of  the  (N  —  1)  bins.  This  occupancy  problem  is  illustrated  in  Figure  4.8.  The  degree  d(u)  of  node 
u  in  the  graph  G r(N.  IZ)  is  given  by  the  number  of  bins  ( u ,  v)  which  contain  at  least  one  ball.  The 
expected  node  degree  D  is  computed  by  taking  the  expected  value  of  the  node  degree  d(u)  over  all 
possible  values  of  Ai, . . . ,  A k  according  to  a  given  assignment  distribution  V. 

Lemma  8  A  node  u  with  keys  k\, . . . ,  kx,  such  that  Xj  =  |S'(^'j)|  for  j  =  1, . . .  ,K  are  known,  will 
not  share  a  key  with  e{u)  nodes  according  to  the  probability  Pr[e(u)  >  E]  given  by 


Proof  26  Placing  (A j  —  1)  balls  in  (N  —  1)  bins  such  that  a  given  set  of  m  bins  remain  empty  can 
be  done  in  exactly  ways.  Thus,  the  number  of  ways  to  assign  K  keys  in  such  a  way  that 
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K  ■  »  ' 


•  Sensor  node 

-Q-  Possible  shared  seed  -  bin 
O  Shared  seed  -  ball  in  bin 


Figure  4.8:  Key  assignment  to  nodes  in  the  WSN  is  represented  by  a  combinatorial  occupancy  problem  where  each 
pair  of  nodes  ( u ,  v )  is  represented  by  a  bin,  and  a  shared  key  between  nodes  u  and  v  is  indicated  by  a  ball  in  the  bin 
(u,v). 

a  particular  set  of  m  bins  remains  empty  is  given  by  the  product  nf=i  (^a -7K)  •  The  number  of 
ways  to  select  the  m  bins  to  remain  empty  is  (^O1)  ■  By  the  Inclusion- Exclusion  Principle  [20],  the 
number  of  ways  M(E )  that  K  subsets  of  bins  can  be  chosen  such  that  at  least  E  bins  remain  empty 


is  given  by 


M{E)  =  ]T  (-1) 


m=E  v  7  v  7  j= 1  v  7 


(4.19) 


Dividing  M(E )  by  the  total  number  of  ways  to  choose  the  K  subsets  given  by  M(0)  yields  the 
probability  that  at  least  E  bins  remain  empty. 

Theorem  12  A  node  u  with  keys  k\ , . . . ,  kx,  such  that  X j  =  IS'(fcj)!  for  j  =  1, . . . ,  K  are  known, 
will  have  expected  degree  £[d(u)]  in  the  logical  graph  Gl{N,IZ)  given  by 


mu)\  =  (n  - 1)  i  -  n  it— i 

V  3= 1 


Proof  27  The  expected  number  of  empty  bins  £[e{u)\  can  be  computed  using  the  fact  that 


£\.<u)\  =  Y,  Pr[e(u )  >  E] 


(4.20) 


since  e{u )  is  a  non-negative  discrete  random  variable  [21].  Substituting  the  result  of  Lemma  8  into 
(4-20)  provides  an  expression  for  £[e(u)].  The  expected  degree  £[d(u)]  is  then  given  by 


£{d(u)\  =  N  —  1  —  £[e{u)\ 


(4.21) 


because  each  non-empty  bin  corresponds  to  an  edge  in  the  graph  Gl{N,1Z).  Replacing  £[e(u)]  with 
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the  result  from  Lemma  8  yields 


N- 1  N- 1 


£[<((«)]  =  N  - 1  -  E  E  (-!)' 


S=1  m=E 


N  —  1\  /m  —  1 

m  J  l  E  —  1 


A'  /JV— 1— m\ 

n1-  A/"1  > 

(N~l\ 
7=1  U,-l/ 


(4.22) 


The  order  of  summation  can  he  reversed  by  changing  the  limits  of  summation  to  sum  over  m  = 
1, . . . , N  —  1  and  E  =  1 , ,m.  Terms  which  are  independent  of  E  can  then  be  moved  outside  of 


the  inner  summation,  yielding 


£[d(u))  =  N-  1-J2 


n  £(-!)' 

j= 1  VAj  — 1/  E=  1 


m  —  1 
E-  1 


T/ie  binomial  theorem  suggests  that 


m  /  i\  rn—1 

e(-d^  rj = 

B=1  ^  ^  E=0 


m  —  1 


(4.23) 


(4.24) 


^ince  0°  =  1,  the  only  non- zero  term  of  the  summation  is  when  m  =  1.  Hence  the  expected  degree 


of  node  u  is  given  by 


£[d(u)\  =  N-  1  - 


N  —  1 


K  (N~2\  (  K 

i-n 


1  /  11  ,N-1\ 

'  7  =  1  U,— 1/ 


N  -  1 


(4.25) 


Theorem  13  The  expected  node  degree  D  in  the  logical  graph  Gl{N,1Z)  is  given  by 


Proof  28  The  expected  node  degree  D  is  computed  by  taking  the  expected  value  of  £[d(u)\  given  by 
Theorem  12  with  respect  to  each  of  the  set  of  random  variables  Ai, . . . ,  A k-  Denoting  this  expected 
value  by  £[-\  yields 


o  =  e  (w-i)  i-ri^ 


(4.26) 


Since  the  samples  Ai,...,A k  are  independent,  this  is  equivalent  to  taking  the  expected  value  with 


respect  to  each  of  the  random  variables  A  j,  denoted  by  £3  [•] .  This  independence  yields 

D=(N-  1)  (4.27) 

Identical  distribution  of  the  A j  suggests  that  £j[\j\  can  be  replaced  by  the  mean  /j  of  the  assignment 
distribution  V  completing  the  proof. 

The  result  of  Theorem  13  can  then  be  used  in  conjunction  with  Theorem  9  to  yield  the  probabil¬ 
ity  Pc{k)  that  the  restricted  network  graph  G(N,A,r,lZ)  is  ^-connected.  Hence,  given  the  number 
N  of  sensors  in  the  network,  key  storage  K,  desired  connectivity  k,  deployment  density  p,  and  radio 
range  r,  the  mean  p  of  the  assignment  distribution  V  can  be  chosen  to  guarantee  fc-connectivity 
with  the  desired  probability. 
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4.6.3  Resilience  to  Attacks 


Since  every  key  is  assigned  to  multiple  nodes,  a  key  may  be  used  to  establish  many  secure  links 
throughout  the  network.  Thus,  an  adversary  who  randomly  captures  nodes  may  be  able  to  decrypt 
secure  communication  links  between  uncaptured  nodes,  referred  to  as  link  compromise.  The  average 
probability  of  link  compromise  f(x)  due  to  the  capture  of  x  nodes  often  depends  on  the  underlying 
structure  of  the  key  predistribution  scheme.  Hence,  for  generality,  our  primary  security  metric  is 
the  probability  p(m,  x)  that  exactly  m  of  the  x  captured  nodes  contain  a  given  key.  Similar  to  the 
results  of  Section  4.6.1,  we  first  compute  the  results  when  the  assignment  set  size  A  of  the  given 
key  is  hxed  and  known,  and  then  compute  the  average  probability  as  a  function  of  the  assignment 
distribution  V. 


Lemma  9  Given  uncaptured  nodes  u  and  v  which  share  a  key  k  such  that  A  =  is  known, 

the  probability  p(m ,  x,  A)  that  exactly  m  of  the  x  captured  nodes  contain  s  is  given  by 


m  \  _  a  _  1 

p(m,x,X)  =  J2  II  Ar-/,-i  X 


i  \j= i 


N  —  A  —  i  +  m.i  +  l 
N-i-  1 


where  the  summation  is  taken  over  all  vectors  I  =  (ii, . . . ,  Irn)  such  that  1  <  I\  <  . 
and  nii  =  max{/i  :  //,.  <  i}. 


. .  <  Im  <  x 


Proof  29  Each  successive  node  capture  can  be  modeled  as  a  Bernoulli  trial  which  is  successful 
if  an  additional  copy  of  the  key  k  is  contained  in  the  captured  node.  The  success  probability  of 
the  xth  trial,  however,  depends  on  the  number  of  previously  successful  trials  because  the  maximum 
number  of  successful  trials  is  fixed  at  A.  Hence,  the  Bernoulli  trials  are  not  independent.  Letting 
I  =  (/i,. . .  ,Im)  represent  the  indices  of  the  m  successful  trials  out  of  the  x  attempts.  In  trial  i, 
given  that  mi  nodes  containing  k  have  been  captured,  the  probability  that  one  of  the  A  —  2  —  m, 
nodes  containing  the  key  k  was  selected  randomly  from  the  ( N  —  2)  —  (i  —  1)  nodes  remaining  in  the 
network  is  given  by  .  The  number  of  previously  captured  nodes  mi  is  given  by  the  number 

of  indices  I h  in  I  with  h  <  i,  i.e.  mi  =  max{/i  :  //,  <  i}.  The  contribution  p(m,  x,  A,  I)  for  a  given 
vector  I  is  thus  equal  to  the  product  of  the  success  probabilities  for  the  m  trials  I\, . .  ,  ,Irn  and  the 
failure  probabilities  for  the  (x  —  m )  remaining  trials  given  by 


.  -r-r  A  —  2  —  mt  i  r  N  —  A  —  *  +  mi  +  1 

p(m,x,  A,  /)  =  jv-<- !  X  11 - VT— i - ■ 


N-i-  1 


(4.28) 


For  Ij  €  I,  the  value  of  mi .  is  simply  given  by  the  number  of  prior  successes  (j  —  1).  Hence,  the 
contribution  p(m,x ,  A,  I)  for  a  given  vector  I  is  given  by 


A  —  '  —  1 

p{m,  x ,  A,  /)  =  JJ  ^  x 

3= 1  J 


N  —  A  —  i  +  m.i  +  l 
N-i-  1  ' 


(4.29) 


The  final  result  is  obtained  by  summing  over  all  possible  I. 
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Lemma  10  Given  uncaptured  nodes  u  and  v  which  share  a  key  k  such  that  A  =  |5(fc)|  is  known,  if 
x  <C  TV  —  2  and  m  «  A  —  2,  the  probability  p(m,  x,  A)  that  exactly  m  of  the  x  captured  nodes  contain 
k  can  be  approximated  as 


p(m,  x ,  A) 


fx\  (  A-2\m  /  TV  —  A  \  x~m 
\m)  \N-2j  \N-2j 


Proof  30  If  x  <C  TV  and  m  <C  A  —  2  and  m;  =  max{/i  :  1^  <  i}  as  in  Lemma  9,  then  the 
approximations 


(A  -  2)  -  (mi  -  1)  _  A  -  2 
(TV  -  2)  -  (x  -  1)  ~  N-2 

(TV  -  2)  -  (A  -  2  -  nn)  -(x-l)  _  (TV  —  2)  —  (A  —  2)  _  TV  -  A 
(TV  —  2)  —  (x  —  1)  ~  N  —  2  ““  TV-  2 

can  6e  substituted  into  the  result  of  Lemma  9  yielding 


p(m,  x,  A)  =  ^  (  n  A-  2  x 
/ 


n 


AT- A 


N  —  2  N  —  2 
j= i  i£I 


Each  product  term  is  independent  of  the  indices  i  and  j ,  so  the  result  reduces  to 


(4.30) 

(4.31) 


(4.32) 


p(m,x,X)  = 


A  —  2 
N-2 


N- A 
TV-2 


(4.33) 


Furthermore,  the  summand  is  independent  of  the  index  I,  so  the  summation  over  I  can  be  replaced 
by  the  summand  multiplied  by  ()())  corresponding  to  the  number  of  possible  vectors  I. 


Theorem  14  Given  uncaptured  nodes  u  and  v  which  share  a  key  k,  the  probability  p(m,  x)  that 
exactly  m  of  the  x  captured  nodes  contain  s  can  be  approximated  as 


p(m ,  x) 


fx\  /M  —  2\m  /TV  —  p\ 
m)  \N-2j  \N-2j 


where  p  is  the  mean  of  a  given  assignment  distribution  V . 


Proof  31  This  result  is  an  approximation  to  the  result  of  Lemma  10  obtained  by  replacing  the  A 
by  the  mean  p  of  the  random  variable  A  with  respect  to  the  assignment  distribution  V. 

The  approximations  in  Lemma  10  and  Theorem  14  are  useful  in  respectively  approximating  the 
worst-case  and  average  probability  of  link  compromise.  The  average  probability  of  link  compromise 
f(x)  is  dependent  on  the  application  and  the  link- key  establishment  protocol,  though  it  is  typically 
a  function  of  p(m,  x)  approximated  by  Theorem  14.  Since  p(m ,  x)  depends  only  on  the  mean  p  of 
the  assignment  distribution  V ,  the  network  size  TV,  and  the  number  of  captured  nodes  x,  it  can  be 
a  useful  metric  in  designing  the  assignment  distribution  V. 
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The  probability  of  link  compromise  f(x,  A)  for  a  link  secured  by  a  key  shared  by  A  nodes  is  also 
application-  and  protocol-dependent,  though  it  is  typically  a  function  of  p(m,x,  A)  approximated 
by  Lemma  10.  The  worst-case  probability  of  link  compromise  can  thus  be  computed  as  f(x,  \max) 
where  Xmax  is  similar  to  that  discussed  in  Section  4.3.1.  Since  p(m,x,  Xmax)  depends  only  on  the 
maximum  value  A  max  in  the  support  of  the  assignment  distribution  V,  the  network  size  N ,  and  the 
number  of  captured  nodes  x,  it  can  be  a  useful  metric  in  designing  the  assignment  distribution  V. 


4.7  Assignment  Distributions 

Due  to  the  fact  that  the  algorithms  in  the  sampling  framework  presented  in  Section  4.5.3  can  realize 
a  given  assignment  distribution  V  with  negligible  occurrence  of  boundary  sets,  the  assignment 
distributions  can  be  designed  independently  of  the  key  assignment  algorithms.  Hence,  assignment 
distributions  can  be  designed  with  respect  to  the  analytical  results  in  Section  4.6  in  terms  of  average 
and  worst-case  network  connectivity  and  resilience  to  node  capture.  However,  the  finite  sampling 
effects  described  in  Definition  19  must  still  be  considered  in  the  design  of  an  assignment  distribution. 

In  general,  the  design  of  an  assignment  distribution  depends  highly  on  the  application  require¬ 
ments  and  link-key  establishment  scheme.  Furthermore,  the  average  network  connectivity  and 
resilience  to  node  capture  depend  only  on  the  mean  //  of  the  assignment  distribution  V.  Hence,  the 
optimal  assignment  distribution  is  application  specific. 

The  design  of  an  assignment  distribution  V  can  be  broken  into  two  primary  steps.  The  first  step 
is  to  determine  the  support  A  of  the  assignment  distribution,  and  the  second  step  is  to  determine 
the  probability  mass  V(X)  for  every  A  £  A. 

4.7.1  Assignment  Distribution  Support 

In  order  to  compensate  for  finite  sampling  effects,  the  size  of  the  support  A  of  the  assignment 
distribution  V  should  be  larger  than  1.  In  contrast,  however,  the  size  of  A  should  be  as  small  as 
possible  to  avoid  the  undesirable  tail-effects  discussed  in  Section  4.3.1.  Though  not  a  requirement, 
we  assume  the  support  A  is  a  contiguous  subset  of  {0, . . . ,  N},  i.e.  if  Ai,  A2  €  A  then  A  £  A  for 
all  A  £  {0, . . . ,  N}  such  that  Ai  <  A  <  A2.  Furthermore,  A  should  contain  the  values  nearest  to 
the  average  value  ft  of  the  assignment  distribution  V  required  for  sufficient  network  connectivity 
as  given  by  Theorem  9  and  Theorem  13.  Hence,  the  design  of  the  support  A  is  equivalent  to 
determination  of  A min  =  min{A  £  A}  and  Amax  =  max{A  £  A}  such  that  \min  <  p  <  Xmax. 

In  order  to  determine  the  value  of  Amm,  we  consider  the  worst-case  probability  of  sharing 
keys  ps(i ,  A mjn, . . . ,  Xmin)  as  given  by  Theorem  10.  Similarly,  to  determine  the  value  of  Xmax,  we 
consider  the  worst-case  resilience  to  node  capture  in  terms  of  the  probability  p(m,  x,  Xmax)  as  given 
by  Lemma  9  and  approximated  by  Lemma  10.  Furthermore,  we  must  consider  the  finite  sampling 
effects  which  arise  due  to  the  choice  of  A mjn,  Xmax ,  and  the  key  assignment  algorithms.  For  the 
KSR  and  KSNR  algorithms,  only  boundary  sets  with  distance  1  can  occur,  so  the  finite  sampling 
effects  can  be  seen  as  negligible.  However,  for  the  NSR  and  NSNR  algorithms,  boundary  sets 
with  distance  between  1  and  Amm  —  1  may  occur.  Hence,  for  the  NSR  and  NSNR  algorithms, 
we  are  interested  in  minimizing  the  boundary  distance  of  the  resulting  boundary  sets.  Through 
simulation,  we  note  that  as  the  value  |  A|  =  Xmax  —  Xrnin  + 1  decreases,  the  distance  of  boundary  sets 
due  to  finite  sampling  effects  tends  to  increase.  Thus,  to  avoid  boundary  sets  with  large  distance, 
Xmax  should  be  increased  and  Xrntn  should  be  decreased.  Hence,  there  exists  a  trade-off  between 
improving  the  worst-case  probability  of  sharing  keys,  improving  the  worst-case  resilience  to  node 
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SSR  Algorithm  for  Example  7.1 


SSNR  Algorithm  for  Example  7.1 


W 


X:  Assignment  Set  Size 


W 


(a) 


(b) 


NSR  Algorithm  for  Example  7.1  NSNR  Algorithm  for  Example  7.1 


(c) 


(d) 


Figure  4.9:  Occurrence  of  boundary  sets  for  Example  2  using  (a)  KSR  algorithm  (b)  KSNR  algorithm  (c)  NSR 
algorithm  (d)  NSNR  algorithm. 


capture,  and  minimizing  the  boundary  distance  of  boundary  sets  which  occur  due  to  finite  sampling 
effects.  Therefore,  determining  the  optimal  values  of  Xmin  and  Xmax  is  application  dependent. 

4.7.2  Probability  Mass  on  A 

Once  the  support  A  of  the  assignment  distribution  V  is  determined,  the  probability  mass  'P(A)  for 
each  A  6  A  must  be  determined.  However,  if  |A|  >  1,  there  are  an  uncountably  infinite  number  of 
possible  assignment  distributions  for  given  values  of  //,  Xmin,  and  Xmax,  leading  to  a  high  degree  of 
freedom  in  determining  the  assignment  distribution  V. 

As  worst-case  probability  of  sharing  keys  and  the  worst-case  resilience  to  node  capture  are  best 
mitigated  by  an  assignment  distribution  with  trivial  support,  i.e.  |A|  =  1,  we  approximate  this 
performance  by  placing  more  probability  mass  on  the  values  of  A  nearest  to  //,  resulting  in  an 
assignment  distribution  which  is  peaked  near  /i  and  decreases  as  |/i  —  A|  increases. 
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4.7.3  Illustration  of  Assignment  Distribution  Design 

We  provide  the  following  example  to  illustrate  the  design  of  an  assignment  distribution  for  a  given 
link- key  establishment  scheme  and  set  of  network  parameters. 

Example  2  Let  a  WSN  of  N  =  5, 000  nodes  with  K  =  100  keys  per  node  and  a  radio  range  of 
r  =  40  rn  be  deployed  over  a  region  A  of  area  \  A\  =  0.5  km 2  such  that  2- connectivity  is  desired  with 
probability  0.99.  We  assume  that  any  nodes  sharing  at  least  one  key  can  establish  a  link-key  as  a 
function  of  the  shared  keys  and  a  link  can  be  compromised  as  soon  as  the  keys  used  to  compute  the 
link-key  are  captured.  Furthermore,  we  assume  that  the  value  Xrnin  must  be  such  that  the  worst-case 
probability  of  sharing  keys  is  within  20%  of  the  average  probability  of  sharing  keys,  and  the  value 
A max  must  be  such  that  the  worst-case  probability  of  link  compromise  is  within  20%  of  the  average 
probability  of  link  compromise  for  x  =  50  captured  nodes. 

Theorem  9  yields  a  minimum  average  vertex  degree  of  D  =  1,813  in  the  logical  graph  Gl(N,1Z). 
Theorem  13  yields  a  minimum  average  assignment  set  size  of  p  >  23.47.  The  average  probability 
of  sharing  at  least  1  key  is  given  by  Theorem  11  as  (1  —ps{ 0))  =  0.3627.  Hence,  the  value  of  Xmin 
must  result  in  (1  —  ps(0,  A  min,  ■  ■  • ,  A  min))  >  0.3.  Theorem  10  yields  A  min  >  19.  The  value  of  Xmax 
must  result  in  1  —  p(0, 50,  Xmax)  <  0.25.  Lemma  10  yields  Xmax  <  30.  Hence,  we  choose  the  support 
A  =  {19, ... ,  28}  and  the  symmetric  probability  mass  function  V  given  by 

X  €  {19,...  ,23} 

A  G  {24,...  ,28}  (4-34) 

else 

resulting  in  average  assignment  set  size  p  =  23.5  >  23.47.  Figure  f.9  displays  the  boundary  sets 
which  occur  as  a  result  of  finite  sampling  effects  for  the  assignment  distribution  given  in  (4-34) 
when  each  of  the  four  algorithms  in  Section  4-5.3  is  used. 

4.8  Deployment  of  Additional  Nodes  in  the  WSN 

In  many  applications,  it  may  be  necessary  to  deploy  additional  sensor  nodes  to  replace  those  which 
have  a  depleted  energy  supply  or  to  increase  the  coverage  of  an  existing  WSN.  If  the  link-key 
establishment  method  is  such  that  addition  of  nodes  to  the  WSN  does  not  require  a  prohibitive 
amount  of  communication  overhead,  the  incorporation  of  the  additional  sensor  nodes  into  the  secure 
WSN  can  be  described  in  terms  of  the  canonical  model.  However,  if  a  sufficient  number  of  nodes 
are  to  be  deployed  into  an  existing  WSN,  the  key  assignment  scheme  for  the  subsequent  deployment 
might  be  very  different  from  that  of  the  original  deployment.  We  investigate  such  scenarios  using 
the  canonical  model  of  key  assignment  schemes  assuming  that  N  nodes  have  been  deployed  using 


V{X)  =  { 


A— 18 
30  5 

29— A 
30  ’ 

0, 
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the  key  assignment  scheme  (V,  &/)  and  M  additional  nodes  are  to  be  deployed  into  the  existing 
WSN.  We  provide  a  general  approach  for  deployment  of  additional  nodes  and  give  an  example 
which  yields  a  well-known  result. 

In  deploying  M  additional  nodes  into  an  existing  WSN,  it  is  highly  desirable  for  the  N  +  M 
nodes  to  act  as  a  single  secure  WSN,  so  the  M  additional  nodes  must  be  assigned  keys  which  can 
be  used  to  establish  link- keys  with  any  of  the  N  +  M  nodes.  Furthermore,  if  M  is  sufficiently  large, 
a  subset  of  the  keys  assigned  to  the  M  additional  nodes  can  be  fresh.  The  exact  proportion  of  fresh 
and  existing  keys  used  in  key  assignment  for  the  additional  nodes  is  application  dependent,  though 
it  is  computed  as  a  function  of  N  and  M.  For  simplicity,  we  assume  that  a  fraction  /  of  the  keys 
assigned  to  the  M  additional  nodes  are  fresh,  and  the  remaining  fraction  (1  —  /)  of  the  keys  are 
chosen  randomly  from  the  set  of  existing  keys. 

The  key  assignment  scheme  used  to  assign  keys  to  the  M  additional  nodes  can  be 

designed  as  a  function  of  the  key  assignment  scheme  the  parameters  N,  M,  and  /,  the 

total  total  number  of  keys  P  assigned  to  the  N  nodes  in  the  existing  WSN,  and  the  total  number 
of  keys  P'  to  be  assigned  to  the  M  additional  nodes.  The  overall  assignment  distribution  Q  for  the 
network  of  N  +  M  nodes  assigned  keys  using  assignment  distributions  V  and  V  is  given  by  the 
following  theorem. 


Theorem  15  Given  N  +  M  nodes  such  that  N  nodes  are  assigned  a  total  of  P  keys  using  the 
assignment  distribution  V  and  M  nodes  are  assigned  a  total  of  P'  keys  using  the  assignment  dis¬ 
tribution  V  where  a  fraction  f  of  the  P'  keys  are  fresh,  the  overall  assignment  distribution  Q  is 
given  by 

P-(l-f)P>  (l-f)P>  fP> 

2(A)  =  — p  +  fp’ — V^X>  +  p  +  fpt  ( V  V  +  P  +  fP'V  (A) 

where  V  *  V  is  the  discrete  convolution  of  the  assignment  distributions  V  and  V  given  by 


(V*V')(\ )  =  YJV(v)V\\-v). 


Proof  32  The  probability  that  a  key  k  is  assigned  only  to  the  M  additional  nodes  is  equal  to  the 
number  of  fresh  keys  divided  by  total  keys,  p+jpr  ■  The  probability  that  k  is  assigned  only  to  the 

jp _ d _ f)P' 

N  existing  nodes  is  equal  to  the  number  of  existing  keys  divided  by  total  keys,  — p+fp' — • 

(1—  f)P' 

probability  that  k  is  assigned  to  both  existing  and  additional  nodes  is  then  p+JF'  •  probability 
that  k  is  assigned  to  Ai  existing  nodes  and  A2  additional  nodes  can  then  be  written  in  terms  ofV, 
V ,  and  V  *  V  using  the  above  probabilities  as  weights. 


The  parameters  of  the  assignment  distribution  V  can  be  chosen  in  a  similar  way  to  the  methods 
described  in  Section  4.7  and  the  relationship  between  the  expected  value  p  of  V,  p!  of  V ,  and  7  of 
Q  given  by 


7  = 


P-(l-/)i*  ,  (l-f)P' 


P  +  fP ' 


p  + 


P  +  fP’ 


(p  +  p)  + 


fp, 


P 


P  +  fP 


= 


P' 


P+fP,r  P  +  fP‘ 


/ 

~,P- 


(4.35) 


We  note  that,  if  0  <  /  <  1,  the  support  of  the  distribution  Q  is  necessarily  larger  than  the 
support  of  either  distribution  V  or  V .  Hence,  the  addition  of  nodes  to  the  network  with  0  <  /  <  1 
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causes  the  assignment  distribution  to  spread.  This  tends  to  increase  the  value  of  A  max  of  the 
assignment  distribution  Q  compared  to  that  of  either  V  or  V ,  thus  increasing  the  worst-case 
probability  estimated  by  Lemma  10. 

In  both  Theorem  15  and  (4.35),  the  number  of  keys  P'  assigned  to  the  M  additional  nodes  may 
be  unknown  prior  to  key  assignment,  but  it  can  be  approximated  by  its  expected  value  P'  = 

We  consider  the  following  examples  of  deployment  of  additional  nodes  into  a  WSN. 

Example  3  Consider  an  existing  network  of  N  nodes,  each  of  which  is  assigned  K  randomly  se¬ 
lected  keys  from  a  set  of  P  keys  using  the  random  key  predistribution  scheme  of  [4].  The  assignment 
distribution  V  is  thus  given  by  the  binomial  distribution  B(N,  p)  with  mean  p  =  In  order  to 
replace  depleted  nodes  and  reinforce  the  WSN,  M  additional  nodes  with  K  keys  per  node  are  to  be 
added  to  the  existing  network.  To  paraphrase  [4],  since  a  sufficient  number  of  the  K  keys  stored  in 
each  node  are  not  used  to  establish  link-keys  in  the  existing  network,  the  same  set  of  P  keys  can  be 
used  in  the  random  key  predistribution  scheme  for  the  M  additional  nodes.  Hence,  P'  =  P  and  the 
distribution  V  is  given  by  the  binomial  distribution  B(M ,  -p)  with  mean  p'  =  ^p-.  Since  the  same 
P  keys  are  used,  and  the  trial  probability  for  the  binomial  distributions  of  V  and  V  are  the  same, 
this  situation  is  equivalent  to  deploying  a  network  of  N  +  M  nodes  with  assignment  distribution 
Q  given  by  the  binomial  distribution  B(N  +  M,  -p)  with  mean  7  =  //  +  //  =  This  result 

corresponds  to  the  result  of  Theorem  15  with  the  given  distributions  V  and  V ,  P  =  P' ,  and  f  =  0. 

The  result  of  Theorem  15  is  far  more  general,  however,  than  is  illustrated  by  Example  3.  The 
following  example  demonstrates  the  generality  of  Theorem  15. 

Example  4  Similar  to  Example  3,  consider  an  existing  network  of  N  nodes,  each  of  which  is 
assigned  K  randomly  selected  keys  from  a  set  of  P  keys  using  the  random  key  predistribution  scheme 
of  [4]  with  assignment  distribution  V  given  by  the  binomial  distribution  B(N ,  p).  The  additional 
M  nodes  are  assigned  K  keys  each  from  a  total  of  P'  =  P  keys,  such  that  a  given  fraction  f  of 
the  P'  keys  are  fresh,  and  a  fraction  (1  —  /)  are  randomly  selected  from  the  initial  set  of  P  keys. 
For  this  example,  we  assume  the  assignment  distribution  V  is  given  by  the  a  symmetric  peaked 
distribution  similar  to  that  of  (4-34)  with  A  =  {A  €  {0, . . . ,  N}  :  |A  —  p'\  <  5}  where  p!  is  a  given 
value  for  the  mean  of  the  assignment  distribution  V .  Hence,  the  overall  assignment  distribution 
Q  corresponding  to  the  N  +  M  nodes  is  given  by  Theorem  15.  The  mean  of  the  distribution  Q  is 
given  by  (4-35)  as 

^-pTTWIJ+pT7P!lJ'  =  Thi,i  +  l/)'  <436) 

Since  \  <  <  1,  the  maximum  value  of  7  is  p  +  p' ,  and  the  minimum  value  of  7  is  . 

Hence,  choosing  f  =  0  (as  in  Example  3)  maximizes  the  connectivity  of  the  resulting  network,  as 
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given  by  Theorem  9,  but  also  maximizes  the  probability  p(m,x)  approximated  by  Theorem  14 ■  Since 
the  original  network  parameters  were  specified  to  guarantee  network  connectivity,  the  maximum 
value  of  7  given  by  f  =  0  is  a  secondary  concern  to  the  significant  reduction  in  resilience  to  node 
capture.  Hence,  choosing  f  3>  0  in  this  example  can  maintain  the  connectivity  of  the  network 
without  sacrificing  resilience  to  node  capture.  Furthermore,  the  choice  of  V'  with  support,  of  size 
at  most  |A|  =  11  yields  an  overall  support  set  of  size  at  most  N  +  11.  If  M  >  11,  this  choice 
of  V'  results  in  a  significant  improvement  in  the  worst-case  probability  of  sharing  keys  as  given  by 
Theorem  10  and  the  worst-case  resilience  to  node  capture  given  by  Lemma  9  or  Lemma  10  compared 
to  the  resulting  assignment  distribution  in  Example  3. 


4.9  Summary  of  Contributions 

We  proposed  a  canonical  key  assignment  model  for  key  predistribution  schemes  in  WSNs  based  on 
the  probability  that  a  key  is  shared  by  a  given  number  of  nodes  and  the  algorithm  for  assignment 
of  keys  to  nodes.  We  proposed  a  sampling  framework  for  key  assignment  algorithms  for  use  in 
the  canonical  model  and  a  model  for  probabilistic  connectivity  of  secure  WSNs  restricted  by  radio 
range  and  the  existence  of  shared  keys.  We  analyzed  key  predistribution  schemes  in  the  canonical 
model  in  terms  of  network  connectivity  and  resilience  to  node  capture,  reflecting  the  worst-case 
probabilities  for  each  metric.  We  demonstrated  the  design  of  new  key  predistribution  schemes  using 
the  canonical  model  while  paying  particular  attention  to  the  worst-case  seed-sharing  probability 
and  resilience  to  node  capture.  Finally,  we  presented  an  approach  to  analyze  the  effect  of  adding 
nodes  to  an  existing  secure  WSN.  This  approach  enables  the  design  of  assignment  distributions 
that  can  tightly  match  the  security  requirements  of  a  given  application. 
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Chapter  5 


Evaluating  the  Vulnerability  of 
Network  Traffic  Using  Joint  Security 
and  Routing  Analysis 


5.1  Introduction 

Assurance  of  secure  applications  and  services  in  wireless  networks  relies  on  the  properties  of  con¬ 
fidentiality  and  integrity ,  respectively  defined  as  the  ability  to  keep  data  secret  from  unauthorized 
entities  and  the  ability  to  verify  that  data  has  not  been  maliciously  or  accidentally  altered  [22]. 
Eschenauer  and  Gligor  recently  demonstrated  in  [4]  that  these  properties  can  be  efficiently  com¬ 
promised  by  physically  capturing  network  nodes  and  extracting  cryptographic  keys  from  their 
memories.  These  node  capture  attacks  are  possible  in  most  wireless  networks  due  to  the  unattended 
operation  of  wireless  nodes  and  the  prohibitive  cost  of  tamper-resistant  hardware  in  portable  de¬ 
vices  [4],  Recent  literature  [4,11,19,23]  has  focused  on  random  node  capture  attacks.  However,  an 
intelligent  adversary  can  improve  the  efficiency  of  a  node  capture  attack  using  publicly  available 
information  learned  by  eavesdropping  on  insecure  message  exchanges  throughout  the  network. 

The  recovery  of  cryptographic  keys  from  node  memories  and  the  fact  that  keys  tend  to  be  re¬ 
used  for  efficient  key  management  leads  to  an  effective  wire-tapping  attack  [24] .  Such  an  attack  can 
be  used  to  compromise  the  security  of  single-hop  wireless  links.  However,  messages  in  a  wireless 
network  traverse  multiple  links  and  paths  between  a  source  and  destination  node,  and  a  message 
may  be  compromised  by  traversing  a  single  insecure  link.  Hence,  the  overall  security  of  routed 
messages  depends  on  the  assignment  of  keys  to  nodes  in  the  network,  the  wireless  network  routing 
protocol,  the  physical  network  topology,  and  the  relative  positions  of  the  source  and  destination 
nodes  in  the  network.  Moreover,  the  fact  that  a  message  is  transmitted  over  numerous  links  between 
a  source  and  destination  node  implies  that  the  overall  confidentiality  and  integrity  of  the  routed 
message  may  only  be  as  secure  as  the  least  secure  link,  implying  that  vulnerabilities  arise  due  to 
the  topology  of  secure  links  in  the  wireless  network.  Hence,  the  impact  of  a  node  capture  attack  is 
a  function  of  both  the  cryptographic  protocol  which  provides  link  security  and  the  routing  protocol 
which  determines  the  set  of  links  traversed  by  a  given  message. 
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In  this  chapter,  we  introduce  a  class  of  metrics  to  measure  the  effective  security  offered  in  a 
wireless  network  as  a  function  of  the  routing  topology  and  the  link  security  provided  by  the  key 
assignment  protocol.  This  joint  protocol  analysis  allows  a  network  analyst  or  an  adversary  to 
evaluate  the  vulnerability  of  network  traffic  and  isolate  weakly  secured  connections.  We  approach 
the  problem  from  an  adversarial  perspective  and  show  how  an  intelligent  adversary  can  mount  a 
node  capture  attack  using  vulnerability  evaluation  to  focus  the  attack  on  the  nodes  which  contribute 
maximally  to  the  compromise  of  network  traffic.  The  necessary  resource  expenditure  associated 
with  the  node  capture  attack  implies  that  the  optimal  attack  with  minimum  resource  expenditure 
corresponds  to  a  minimum  cost  set  of  nodes,  in  contrast  to  wiretapping  attacks  in  routing  or 
secure  network  coding  [25,26]  which  seek  a  minimum  cost  set  of  links.  We  demonstrate  that  joint 
consideration  of  the  information  from  routing  and  key  assignment  protocols  leads  to  a  significant 
reduction  in  resource  expenditure  in  comparison  to  consideration  of  information  from  either  protocol 
separately. 


5.2  Our  Contributions 

We  aim  to  provide  a  formal  characterization  of  node  capture  attacks.  We  define  a  collection  of 
vulnerability  metrics  and  formulate  the  minimum  cost  node  capture  attack  problem  as  a  nonlinear 
integer  program  using  the  defined  vulnerability  metrics.  We  further  show  that  node  capture  attacks 
attempting  to  compromise  secure  links  independent  of  the  routing  topology  can  be  reduced  to  a 
linear  integer  program  formulation.  We  present  the  GNAVE  algorithm,  a  Greedy  Node  capture 
Approximation  using  Vulnerability  Evaluation,  to  approximate  the  minimum  cost  node  capture 
attack  using  any  of  the  vulnerability  metrics  of  interest. 

We  present  a  collection  of  vulnerability  metrics  for  differing  attack  strategies  based  only  on  key 
assignment  and  jointly  on  key  assignment  and  routing.  We  demonstrate  that,  although  certain 
information  can  be  hidden  from  the  adversary  through  the  use  of  privacy-preserving  protocols, 
statistical  methods  can  be  employed  by  the  adversary  to  effectively  mitigate  this  attempt  at  attack 
defense.  We  provide  a  detailed  simulation  study  to  demonstrate  and  compare  the  impact  of  node 
capture  attacks  using  the  GNAVE  algorithm  with  various  strategies  in  wireless  networks  with 
examples  of  both  classical  routing  and  network  coding  protocols. 


5.3  Models  and  Notation 

In  this  section,  we  state  the  assumed  wireless  network,  key  assignment,  and  adversary  models.  We 
summarize  the  notation  used  throughout  this  chapter  in  Table  5.1. 

5.3.1  Network  Model 

The  topology  of  the  wireless  network  with  a  set  of  nodes  M  is  represented  by  the  directed  network 
graph  G  =  ( J\f,L ).  The  link  set  L  contains  all  ordered  pairs  of  one-hop  communicating  neighbors, 
equivalent  to  an  asymmetric  relation  [27],  such  that  (i-j)  is  in  L  f°r  *  7^  j  if  and  only  if  node  i  can 
reliably  send  messages  to  node  j  without  intermediate  relay  nodes.  The  link  set  L  is  dependent 
on  parameters  such  as  node  location  and  configuration  and  properties  of  the  radios,  transmission 
medium,  and  MAC  layer  protocols. 

We  denote  the  subsets  of  A f  of  message  source  and  destination  nodes  in  the  network  as  S  and  V, 
respectively.  The  set  of  source-destination  pairs  is  denoted  TC5xf>  and  is  constructed  based  on 


153 


the  routing  protocol  decisions.  For  a  given  source-destination  pair  (s,  d)  £  T,  the  routing  protocol 
will  construct  one  or  more  directed  routing  paths  through  G,  where  a  path  is  defined  as  a  set  of 
sequential  links  in  L.  We  define  the  route  7 Zsd  as  the  set  of  all  paths  traversed  by  any  message 
from  s  to  d,  and  we  let  fn  denote  the  fraction  of  traffic  from  s  to  d  that  traverses  the  given  path 
7 r  £  lZsci-  The  route  7Zsd  can  be  represented  graphically  by  the  route  subgraph  GS(i  of  G  consisting 
of  nodes  and  directed  links  traversed  by  at  least  one  routing  path  7r  £  7Zsci  from  s  to  d. 

We  define  the  following  classes  of  routing  protocols,  partitioning  the  space  of  routing  protocols 
based  on  the  dependence  of  messages  routed  along  different  (not  necessarily  disjoint)  paths,  as 
follows. 

Definition  20  The  class  of  independent  path  routing  protocols  consists  of  any  protocol  which  uses 
one  or  more  paths  to  route  separate  messages  such  that  messages  traversing  different  paths  are 
independently  coded  and  secured. 

The  class  of  independent  path  routing  protocols  contains,  for  example,  protocols  using  a  single, 
fixed  path  such  as  AODV  [28]  or  DSR  [29]  as  well  as  protocols  using  multiple  paths  such  as  GBR  [30] 
or  GEAR  [31].  The  route  7Zsd  under  independent  path  routing  is  equivalent  to  the  superposition 
of  \7Zsd\  single-path  routes,  where  each  single-path  route  {7r}  for  7r  £  7Zsd  is  weighted  by  the 
corresponding  traffic  fraction  fn. 

Definition  21  The  class  of  dependent  path  routing  protocols  consists  of  any  protocol  which  uses 
multiple  paths  in  which  packets  traversing  separate  paths  are  jointly  coded,  fragmented,  or  secured. 

The  class  of  dependent  path  routing  protocols  contains,  for  example,  protocols  based  on  thresh¬ 
old  secret  sharing  [32]  and  network  coding  [25,26,33]  in  which  a  set  of  coded  packets  must  be  jointly 
decoded  in  order  to  recover  the  original  set  of  messages. 

5.3.2  Key  Assignment  Model 

We  assume  the  existence  of  a  secure  key  assignment  mechanism  as  follows.  Let  /C  be  a  set  of 
symmetric  cryptographic  keys  and  £  be  a  corresponding  set  of  publicly  available  key  labels.  Each 
node  i  £  M  is  assigned  a  subset  /Q  C  K,  and  the  corresponding  subset  Ci  C  C.  We  denote  the 
subset  of  keys  shared  by  nodes  i  and  j  as  /Qj  =  /Q  n  ICj  and  allow  communication  between  i  and 
j  if  and  only  if  /Cy  01 .  We  assume  that  nodes  i  and  j  use  the  entire  set  of  shared  keys  to 
secure  the  link  (i,j),  so  the  strength  of  the  link  security  is  directly  related  to  the  number  of  shared 
keys.  We  assume  that  nodes  i  and  j  compute  the  intersection  C{j  =  £*  fl  Cj  in  order  to  determine 
the  set  of  shared  keys  ICt]  using  a  protocol  from  one  of  the  following  classes. 

Definition  22  The  class  of  public  label  exchange  protocols  consists  of  any  protocol  which  provides 
necessary  information  for  any  node  j  €  M  to  compute  the  set  Ci  of  key  labels  for  any  node  i  €  M . 

The  class  of  public  label  exchange  protocols  contains  such  protocols  as  the  public  broadcast  of 
Ci  by  each  node  i  £  M  as  in  [4]  or  the  use  of  a  public  identity-based  function  to  compute  CL  as  a 
function  of  i  as  in  [34], 

1This  requirement  can  be  strengthened  as  in  [19]  to  require  \K,ij  \  >  q  for  a  fixed  integer  q  >  1,  though  we  do  not 
explicitly  address  this  requirement. 
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Table  5.1:  We  provide  a  summary  of  the  notation  used  in  Chapter  ??  for  the  problem  of  modeling  node  capture 
attacks. 


Symbol 

Definition 

Af 

Set  of  N  wireless  nodes 

L 

Set  of  ordered  pairs  of  one-hop  neighbor  nodes 

G 

Network  graph  (AT,  L) 

1C,  C 

Set  of  keys,  labels 

Set  of  keys,  labels  assigned  to  node  i  €  AT 

fcij  5 

Set  of  keys,  labels  shared  by  nodes  i  and  j 

s,v 

Set  of  source,  destination  nodes 

T 

Subset  of  S  x  V  of  source-destination  pairs 

TCsd 

Set  of  paths  forming  the  route  from  s  to  d 

Gsd 

Route  subgraph  of  G  corresponding  to  lZsd 

fn 

Fraction  of  lZsd  traffic  traversing  7r 

Ke 

Set  of  keys  securing  the  end-to-end  link  (s,  d ) 

Ta 

Adversary’s  target  subset  of  T 

C 

Subset  of  Af  of  captured  nodes 

fcc,Lc 

Set  of  compromised  keys,  links  when  C  captured 

Wi 

Weight  or  cost  of  capturing  node  i  G  Af 

Psd 

Weight  representing  adversary’s  route  preference 

Vsd(C ) 

Route  vulnerability  of  1Zsd  when  C  captured 

MC) 

Incremental  value  of  node  i  when  C  captured 

Rc{hj) 

Link  resistance  of  (i,j)  when  C  captured 

Rc  {R-sd) 

Route  resistance  of  lZsd  when  C  captured 
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Definition  23  The  class  of  privacy-preserving  set  intersection  protocols  consists  of  any  protocol 
which  provides  necessary  information  for  any  node  j  €  M  to  only  compute  the  set  CLj  of  keys  labels 
shared  with  any  node  i  €  M  without  giving  any  information  to  j  about  the  remaining  key  labels  in 
Ci\Cj. 


The  class  of  privacy-preserving  set  intersection  protocols  contains  such  protocols  as  the  challenge- 
response  protocol  proposed  in  [4]  in  which  each  node  i  €  Af  computes  a  random  nonce  a  and 
broadcasts  a  and  the  challenge  E^(a)  for  each  k  G  /Q. 

In  addition  to  the  link  security  provided  by  the  set  of  shared  keys  /Qj  for  each  link  (i-j),  we 
consider  the  incorporation  of  an  additional  end-to-end  security  mechanism  for  each  route  lZsd  which 
depends  only  on  the  source  s  and  destination  d.  If  it  is  physically  possible  and  allowed  by  policy,  the 
source  node  s  can  compute  the  set  Ksd  of  keys  shared  with  the  destination  node  d  and  additionally 
secure  messages  in  the  route  lZsd  using  the  shared  keys  ICsd ■  We  denote  the  set  of  keys  securing 
the  end-to-end  connection  between  s  and  d  as  K.fd,  noting  that  JCfd  =  JCsd  if  s  and  d  are  able  and 
allowed  to  use  end-to-end  security  and  K,fd  =  0  otherwise.  We  include  the  additional  end-to-end 
secure  link  (s,  d)  in  the  route  subgraph  Gsd  with  the  corresponding  link  security  depending  only  on 


5.3.3  Adversarial  Model 

We  consider  a  polynomial-time  adversary  with  the  ability  and  resources  to  eavesdrop  on  and  record 
messages  throughout  the  network,  capture  nodes,  and  extract  cryptographic  keys  from  the  memory 
of  captured  nodes.  We  assume  that  the  adversary  has  knowledge  of  the  key  assignment  and  routing 
protocols,  including  protocol  parameters,  and  can  participate  actively  in  any  network  protocols  by 
assuming  the  roles  of  captured,  replicated,  or  fabricated  nodes.  We  further  assume  that  the  route 
subgraph  Gsd  for  each  (s,  d)  €  T  is  available  to  the  adversary  or  is  computable  using  traffic  analysis 
and  estimation  [35]. 

The  primary  goal  of  the  adversary  is  to  compromise  the  confidentiality  and  integrity  of  all 
messages  routed  between  a  target  set  of  source-destination  pairs  denoted  7a  C  T  by  extracting 
cryptographic  keys  from  the  memory  of  captured  nodes  C  C  JV  with  minimum  resource  expenditure. 
The  adversary  thus  captures  nodes  intelligently  by  associating  an  individual  weight  or  cost  Wi  with 
the  resource  expenditure  required  to  capture  each  node  i  €  M .  We  do  not  address  further  attacks 
on  network  protocols  and  services  that  can  be  performed  as  a  result  of  message  compromise. 


5.4  Route  Vulnerability  Metrics  under  Node  Capture  Attacks 

In  this  section,  we  define  a  class  of  route  vulnerability  metrics  (RVM)  to  quantify  the  effective 
security  of  traffic  traversing  a  given  route  lZsd ■  Using  the  RVM  definition,  we  formulate  the  mini¬ 
mum  cost  node  capture  attack  problem  as  a  nonlinear  integer  programming  minimization  problem. 
Since  determining  the  optimal  node  capture  attack  is  likely  infeasible,  we  propose  the  GNAVE  al¬ 
gorithm  using  a  greedy  heuristic  to  iteratively  capture  nodes  which  maximize  the  increase  in  route 
vulnerability. 
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5.4.1  Route  Vulnerability  Metric  (RVM) 

In  order  to  evaluate  the  effect  of  a  node  capture  attack  on  the  effective  security  of  traffic  traversing 
a  route  TZsd,  we  formally  define  link,  path,  and  route  compromise  due  to  the  capture  of  a  subset 
C  C  J\f  of  network  nodes.  We  denote  the  set  of  keys  recovered  by  the  adversary  in  capturing  the 
subset  C  as  ICq  =  U,;e.y  If  a  message  traverses  a  link  which  is  secured  by  keys  in  /Cc,  the  security 
of  the  message  is  compromised.  The  compromise  of  individual  links  in  the  network,  with  respect 
to  the  network  and  routing  models  in  Section  5.3,  is  defined  as  follows. 


Definition  24  The  link  ( i,j )  €  L  or  ( s,d )  €  T  is  compromised  if  and  only  if  /Qj  C  /Cc  or 
1Cfd  C  /Cc,  respectively,  and  the  set  of  all  compromised  links  is  denoted  Lc  C  LuT. 

Using  Definition  24,  we  further  define  the  compromise  of  paths  and  message  routes  as  follows. 

Definition  25  The  path  ir  £  TZsd  is  compromised  if  and  only  if  ( s ,  d)  £  Lc  and  there  is  at  least 
one  link  ( i,j )  in  it  for  which  ( i,j )  €  Lq. 

Note  that  the  inclusion  of  the  end-to-end  link  (s,  d)  in  the  requirement  for  path  compromise 
indicates  that  any  message  traversing  a  compromised  path  can  be  eavesdropped  or  modified  by  the 
adversary. 

Definition  26  The  route  lZsd  for  ( s ,  d)  £  T  is  compromised  if  and  only  if  every  path  tv  £  lZsd  is 
compromised. 

Using  Definition  26,  an  adversary  can  compute  the  fraction  of  target  routes  compromised  due 
to  the  capture  of  a  set  of  nodes  C.  However,  this  evaluation  does  not  provide  the  adversary  with  a 
method  for  selection  of  the  set  C.  Furthermore,  the  fraction  of  compromised  target  routes  does  not 
provide  any  indication  of  the  contribution  of  nodes  in  C  toward  the  future  compromise  of  additional 
routes,  as  the  compromise  of  a  route  is  a  binary  event. 

To  adequately  capture  the  progression  toward  the  compromise  of  additional  routes,  we  introduce 
the  metric  of  route  vulnerability  Vs d(C)  as  defined  by  the  following  RVM  class. 

Definition  27  The  route  vulnerability  Vsd(C )  of  the  route  lZsd  due  to  the  capture  of  nodes  in  C  is 
defined  as  any  of  the  class  of  functions  mapping  into  the  unit  interval  [0, 1]  such  that 

1.  Vsd(0 )  =  0,  where  0  is  the  empty  set, 

2.  Vsd(C )  =  1  if  and  only  if  Usd  is  compromised  when  C  is  captured,  and 

3.  0  <  Vs d{C)  <  1  if  and  only  if  lZsd  is  not  compromised  when  C  is  captured  but  C  contributes 
to  the  weakening  of  the  security  of  at  least  one  link  in  the  route  TZsd- 

The  class  of  RVMs  thus  relaxes  the  binary  notion  of  route  compromise  to  a  continuous  measure 
of  the  progress  of  the  attack  and  allows  for  comparison  of  partial  compromise  by  different  sets  C\ 
and  C-2  of  captured  nodes. 
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Problem: 

Minimum  Cost  Node  Capture  Attack 

Given: 

£*,  Wi  for  i  G  A f,  lZsd  for  (s,  d)  G  7a 

Find: 

C  c  M 

such  that 

^  Wi  is  minimized 

iec 

and 

Vsd{C)  =  1  for  all  (s,  d)  G  Ta ■ 

Figure  5.1:  The  minimum  cost  node  capture  attack  is  formulated  as  a  constrained  optimization  problem. 


5.4.2  Node  Capture  Attack  Formulation 

For  any  RVM  realization  satisfying  the  conditions  of  Definition  27,  we  devise  a  node  capture  strategy 
that  maximizes  the  progression  toward  the  goal  of  compromising  all  routes  !Zsd  for  (s,  d )  G  7 a-  The 
choice  of  subset  C  requiring  the  minimum  resource  expenditure  is  thus  given  by  the  minimum  cost 
node  capture  problem  in  Figure  5.1. 

In  general,  based  on  Definition  25  of  path  compromise,  the  metric  Vsd(C)  is  nonlinear  in  the 
entries  of  C.  Hence,  the  minimum  cost  node  capture  attack  above  is  a  nonlinear  integer  programming 
minimization  problem,  known  to  be  NP-hard  [27,36].  We  thus  propose  the  use  of  a  greedy  heuristic 
that  iteratively  adds  nodes  to  C  based  on  maximizing  the  increase  in  route  vulnerability  Vsd(C)  at 
each  step.  The  heuristic  is  thus  similar  to  a  known  greedy  heuristic  for  set  covering  [37]  and  linear 
integer  programming  [36].  However,  due  to  the  nonlinearity  in  1 4d(0,  the  worst-case  performance 
of  the  greedy  heuristic  cannot  be  analyzed  using  the  ratio-bound  analysis  in  [27, 36, 37]  and  is  left 
as  an  open  problem. 

To  maximize  the  route  vulnerability  Vsd(C)  with  minimum  resource  expenditure,  it  is  beneficial 
to  the  adversary  to  attempt  to  maximize  the  vulnerability  resulting  from  the  capture  of  each 
individual  node  using  the  information  recovered  from  previously  captured  nodes.  The  contribution 
of  a  node  i  is  thus  given  by  the  increase  in  route  vulnerability  Vsd{C  U  {i})  —  Vs d(C)  due  to  the 
addition  of  i  to  C.  Allowing  for  an  additional  weight  psd  to  indicate  the  adversary’s  preference  to 
compromise  the  route  lZsd  over  other  routes,  the  value  of  each  node  i  is  defined  as  follows. 

Definition  28  The  individual  incremental  node  value  of  adding  node  i  G  J\f  to  C  is  defined  as 

Vi{C)=  J2  Psd(Vsd(Cu{i})-Vsd(C)) 

(s,<£)(zTa 

for  any  route  vulnerability  function  Vsd{C)  satisfying  the  conditions  in  Definition  21. 

To  maximize  the  cost-effectiveness  of  the  node  capture  attack  at  each  iteration,  the  adversary 
chooses  to  capture  the  node  with  maximum  incremental  value  per  unit  cost  Vi(C)/wi.  Based  on 
this  greedy  approach,  we  propose  the  GNAVE  algorithm  for  Greedy  Node  capture  Approximation 
using  Vulnerability  Evaluation  as  given  in  Figure  5.2. 

We  note  that  the  GNAVE  algorithm  being  greedy  implies  that  the  attack  performance  depends 
only  on  the  order  of  the  weighted  node  values  Ui{C)/wi  for  the  nodes  A f\C.  In  order  to  illustrate  the 
effect  of  node  capture  attacks  using  the  GNAVE  algorithm,  we  next  provide  candidate  realizations 
of  the  RVM  Vsd(C). 
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GNAVE  Algorithm 


Given:  Li,  wt  for  i  €  M ,  lZsd  for  (s,  d)  G  7a 
C  <-  0 

while  there  exists  (s,  d)  gTa  with  VS([(C)  <  1  do 

i*  <—  arg  max  vAC)/ Wi 
i&N 

C<-Cu  {z*} 

end  while 

Figure  5.2:  We  present  the  algorithmic  form  of  the  GNAVE  algorithm  to  approximate  the  minimum  cost  node 
capture  attack  in  Figure  5.1. 

5.5  RVM  Realization 

In  this  section,  we  propose  an  RVM  realization  satisfying  the  conditions  in  Definition  27,  noting  that 
there  is  a  high  degree  of  freedom  in  the  given  conditions.  We  present  an  RVM  realization  for  each 
of  the  routing  protocol  classes  discussed  in  Section  5.3.1,  hereafter  denoting  the  route  vulnerability 
for  independent  and  dependent  path  routing  protocols  as  Vjd(C)  and  Vj^(C),  respectively.  The 
definitions  presented  in  this  section  are  derived  using  the  following  necessary  and  sufficient  condition 
for  the  compromise  of  a  route  lZsd  with  respect  to  the  edge  cuts  [27]  of  the  route  subgraph  Gsd- 

Theorem  16  The  route  lZsd  is  compromised  if  and  only  if  the  set  Lq  of  compromised  links  contains 
at  least  one  ( s ,  d)  edge  cut  of  the  route  subgraph  Gsd  as  a  subset. 

Proof  33  To  prove  the  forward  implication,  suppose  that  !Zsd  is  compromised.  By  Definitions  25 
and  26,  there  is  at  least  one  compromised  link  (in,jn)  in  each  path  ir  €  lZsd,  and  the  end-to-end  link 
( s,d )  is  compromised.  Let  Lcut  =  {( in,jiT )  :  tt  €  B,sd\  G  Lq.  Since  each  path  it  traverses  at  least 
one  edge  in  Lcut,  Lcut  U  {(s,d)}  is  an  edge  cut  of  Gsd 

To  prove  the  reverse  implication,  let  Lcut  be  an  edge  cut  of  Gsd-  By  the  definition  of  an  edge 
cut,  (s,d)  €  Lcut  and  each  path  ir  from  s  to  d  in  Gsd  traverses  at  least  one  link  in  Lcut.  Hence,  by 
Definition  25,  every  path  it  in  lZsd  is  compromised,  implying  by  Definition  26  that  the  route  itself 
is  compromised. 

Theorem  16  thus  implies  that  the  task  of  compromising  each  route  (s,  d)  €  Ta  is  equivalent  to 
capturing  a  set  of  nodes  C  leading  to  the  compromise  of  an  edge  cut  of  Gsd-  We  thus  formulate  an 
RVM  realization  using  the  properties  of  edge  cuts  of  Gsd- 

5.5.1  Set  Theoretic  RVM 

We  formulate  a  set  theoretic  RVM  realization  Vsd(C) set  by  interpreting  the  properties  of  edge  cuts 
of  Gsd  set  theoretically.  From  Theorem  16,  the  existence  of  a  compromised  edge  cut  set  Lcut  C  Lc 
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of  the  route  subgraph  Gsd  implies  that  the  route  lZsd  is  compromised.  In  terms  of  the  set  /Cc  of 
compromised  keys,  a  necessary  and  sufficient  condition  for  Lq  to  contain  an  edge  cut  set  of  Gsd  is 

fcsd  C  /Cc  and  V7T  €  TZsd,3(i,j)  €  7T,  KLt]  C  /Cc. 

Letting  l(-)  denote  the  binary  indicator  function  of  a  specihed  event,  Theorem  16  thus  implies  that 
the  first  two  conditions  of  Definition  27  can  be  satisfied  by  defining  a  binary  RVM  equal  to 


I(£sdc/Cc)  n 

neTZsd 


n  (1  -  1  {Kij  C  /Cc)) 

(i,j)€ir 


(5.1) 


However,  this  function  does  not  satisfy  the  third  condition  of  Definition  27  as  the  resulting  function 
does  not  take  continuous  values  between  0  and  1. 

The  above  formulation  provides  insight  into  the  route  vulnerability,  however,  suggesting  that  a 
valid  RVM  can  be  obtained  with  minor  modifications.  First,  to  ensure  that  any  compromised  path 
is  accounted  for  in  the  vulnerability  evaluation,  the  product  over  all  paths  in  TZsd  can  be  replaced 
by  a  weighted  summation  over  the  corresponding  paths,  including  the  secure  end-to-end  link  (s,  d) 
as  a  single-hop  path.  We  denote  the  relative  weight  assigned  to  the  secure  end-to-end  link  (s,  d)  as 
fsd  with  the  assumption  that  /sd  >  0  is  allowed  to  vary  arbitrarily  when  the  additional  end-to-end 
secure  link  is  used  and  that  fsci  =  0  otherwise,  thus  impacting  the  choice  of  captured  nodes.  We 
relax  the  binary  condition  imposed  by  the  indicator  function  1  (/Qj  C  /Cc)  by  the  function  (j>ij(C) 
equal  to  the  fraction  of  keys  in  JCtj  that  are  contained  in  /Cc ,  given  by 


for  links  in  L  and 


4>ij  {C ) 


\ICij  FI  Kq\ 

I  ICij\ 

1, 


if  Kij  /  0 
otherwise 


4>sd{C) 


'  \£fd n  /Cc I 

<  ra 

i, 


if  JC®  #  0 
otherwise 


(5.2) 


(5.3) 


for  the  secure  end-to-end  link  ( s,d ).  Applying  this  relaxation  to  the  right-hand  side  of  (5.1)  thus 
yields  the  following  RVMs  for  independent  and  dependent  path  routing  protocols,  which  vary  only 
in  the  weighting  of  individual  paths  in  lZsd- 

For  independent  path  routing  protocols,  the  compromise  of  an  individual  path  ir  €  lZsd  is 
sufficient  to  allow  the  adversary  to  recover  a  fraction  fn  of  the  traffic  from  s  to  d.  Applying  the 
continuous  relaxation  to  the  right-hand  side  of  (5.1)  for  each  single  path  route  in  lZsd  and  summing 
over  the  single  path  routes  with  corresponding  weights  including  the  end-to-end  link  (s,d)  with 
weight  fsd,  yields  the  RVM  for  independent  path  routing  protocols  as 


VId(C)  SET 


fsd4>sd(C)  +  1 

1  +  fsd 


E 

ir&'R.sd 


fn 

1  +  fsd 


n  u-<mc)). 

r 


(5.4) 


For  dependent  path  routing  protocols,  even  though  the  compromise  of  an  individual  path  does 
not  reveal  any  information  to  the  adversary,  it  brings  the  adversary  closer  to  compromising  the 
route.  Hence,  we  obtain  the  corresponding  RVM  by  applying  the  continuous  relaxation  to  the 
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right-hand  side  of  (5.1)  and  summing  over  the  equally-weighted  single  path  routes,  including  the 
end-to-end  link  (s,  d)  with  weight  fS([,  yielding 


y^d{C)  SET 


fsdfisdjC)  +  1 

1  +  fsd 


1 

Instil  (1  +  fsd) 


e  n  a 

nZR.sd  (i,j)€n 


(5.5) 


The  set  theoretic  formulation  of  the  RVM  V^^(C)set  in  this  section  is  derived  by  explicitly 
analyzing  the  necessary  condition  for  the  existence  of  an  edge  cut  of  Gsci- 


5.6  Node  Capture  Attacks  without  Routing  Information 

In  this  section,  we  present  a  special  case  of  node  capture  attacks  and  vulnerability  metrics  when 
the  adversary  has  not  collected  (or  is  unable  to  collect)  information  about  the  routing  topology 
in  the  network.  We  show  that  node  capture  attacks  based  only  on  the  key  assignment  protocol 
can  be  modeled  using  an  integer  programming  framework  and  give  example  strategies  and  the 
corresponding  vulnerability  metrics. 


5.6.1  Formulation  of  the  Key-Based  Node  Capture  Attack  Model 

In  the  absence  of  routing  information,  the  adversary  is  unable  to  determine  whether  paths  or  routes 
are  compromised  as  in  Definitions  25  and  26.  Hence,  the  attack  is  re-formulated  with  respect  to  the 
compromise  of  secure  links  as  in  Definition  24.  Furthermore,  the  route  vulnerability  metric  Vsci(C ) 
must  be  replaced  by  an  alternative  vulnerability  metric  that  evaluates  the  effect  of  the  attack  on 
the  security  of  links  instead  of  routes. 

For  a  key-based  node  capture  attack,  we  let  Z  =  {z\, . . . ,  zm}  denote  the  collection  of  M  items 
of  interest  to  the  adversary.  For  example  each  zm  can  be  a  key  zm  €  K.  or  a  subset  of  shared  keys 
zrn  =  Kj  nlCj  C  /C.  In  order  to  plan  the  attack,  the  adversary  must  characterize  the  relationship 
between  each  set  Kn  of  assigned  keys  and  each  target  item  zm  €  Z.  The  relationship  can  be 
characterized  by  defining  a  variable  am>n  which  is  non-zero  if  and  only  if  the  assigned  keys  K,n  aid 
in  the  recovery  of  the  target  item  zm.  The  variables  am^n  can  be  collected  into  an  M  x  N  constraint 
matrix  A  representing  the  goals  of  the  attack.  Letting  *  be  a  binary  vector  of  elements  xn  where 
xn  =  1  if  and  only  if  n  €  C,  the  product  Ax  denotes  the  outcome  of  the  attack.  Depending  on  the 
key  assignment  and  link-key  establishment  protocols,  the  adversary  may  be  required  to  obtain  a 
certain  amount  of  information  about  an  element  zm  before  it  can  be  recovered.  Hence,  we  let  sm 
denote  the  corresponding  quantity  such  that  zm  is  recovered  if  and  only  if 

dm,n%n  Z  Sm 

neAf 


(5.6) 


The  sufficiency  of  the  attack  is  thus  given  by  the  condition  that  Ax  >  s.  We  note  that  the 
adversary’s  preference  for  individual  items  zm  in  Z  can  be  incorporated  by  scaling  the  mth  row  of 
A  and  the  value  sm  by  a  constant,  with  no  effect  on  the  inequality  in  (5.6). 

The  vulnerability  metric  Vz(C)  of  interest  to  the  adversary  is  thus  a  function  of  the  matrix  A 
and  the  sufficiency  vector  s.  Similar  to  the  conditions  in  Definition  27,  the  vulnerability  Vz(C)  will 
be  1  only  if  (5.6)  is  satisfied  for  all  m  =  1, . . . ,  M.  We  define  a  candidate  vulnerability  function  as 


Vz(C) 


min  (Ax,  s) 

||s||i 


(5.7) 
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where  min  is  the  element-wise  vector  minimum  of  the  two  vector  arguments  and  ||  •  ||i  denote  the 
t\  (absolute  vector  sum)  norm  [38].  Replacing  the  final  condition  in  the  minimum  cost  attack 
formulation  in  Section  5.4.2  with  the  metric  in  (5.7)  yields  the  constraint  Ax  >  s ,  making  the 
formulation  that  of  a  minimum  cost  integer  programming  problem  [36].  We  note  that  the  average 
V(x)  over  all  sets  C  of  size  x  is  equivalent  to  the  widely-used  measure  of  the  resilience  of  the  key 
predistribution  scheme  to  a  node  capture  attack  [4, 11, 13, 18, 19,23,39]. 

Due  to  the  NP-hardness  of  the  integer  programming  minimization  problem,  the  GNAVE  al¬ 
gorithm  presented  in  Section  5.4.2  can  be  applied  in  a  similar  way  to  the  case  without  routing 
information.  We  note  that  the  greedy  algorithm  does  not  require  the  adversary  to  explicitly  con¬ 
struct  the  constraint  matrix  A  but  only  to  evaluate  the  vulnerability  function  Vz(C),  a  task  which 
requires  far  less  information,  as  will  be  discussed. 

5.6.2  Key-Based  Node  Capture  Attacks 

We  next  present  two  example  node  capture  attacks  based  only  on  the  key  assignment  information 
using  the  formulation  in  Section  5.6.1.  We  present  the  key  cover  attack  and  the  link  cover  attack 
which  are  named  for  their  relationships  to  the  well-known  set  cover  problem  [27, 36] . 


Key  Cover  Attack 

The  key  cover  attack  is  modeled  according  to  the  well  known  set  cover  problem.  In  this  attack, 
the  collection  Z  of  items  sought  by  the  adversary  is  equal  to  the  set  of  keys  1C.  The  adversary’s 
primary  goal  is  to  capture  a  set  of  nodes  whose  sets  K,n  cover  the  set  1C  and  thus  can  be  used  to 
compromise  the  security  of  every  secure  link  in  the  network.  In  this  attack,  each  element  k  €  JC  is 
of  equal  importance  to  the  adversary,  so  the  rows  of  A  and  elements  of  s  are  equally  weighted2. 

A  key  coverage  attack  can  be  formulated  using  the  minimization  problem  in  Section  5.6.1  as 
follows.  Each  entry  sm  of  the  vector  s  is  equal  to  the  number  of  elements  derived  from  km  which 
must  be  obtained  to  recover  the  secret  km.  For  example,  the  value  sm  can  be  equal  to  the  threshold 
of  a  secret-sharing  scheme  [11,13,23,32,39,41,42]  applied  to  the  elements  of  1C.  Each  entry  am^n 
of  the  binary  matrix  A  is  equal  to  1  if  and  only  if  an  element  in  ICn  was  derived  from  km  €  V- 
Hence,  the  column  sum  An  of  the  matrix  A  is  equal  to  the  number  of  elements  in  ICn  which  are 
unknown  to  the  adversary.  To  perform  a  key  cover  attack  using  the  GNAVE  algorithm,  the  key 
establishment  protocol  must  allow  the  adversary  to  compute  the  set  Cn  for  each  node  n  €  A f.  We 
first  present  a  result  on  the  adversary’s  ability  to  perform  the  key  cover  attack  using  the  GNAVE 
algorithm. 

Lemma  11  Given  any  key  establishment  protocol  such  that  \ICn\  is  computable  by  the  adversary 
for  each  n  €  Af ,  a  key  cover  attack  can  be  performed  deterministically  using  the  GNAVE  algorithm. 

Proof  34  Let  L  denote  the  set  of  indices  of  elements  in  1C  recovered  by  the  adversary  from  pre¬ 
viously  captured  nodes.  Since  the  adversary  has  obtained  all  of  the  information  stored  within  each 
captured  node,  the  intersection  set  L  n  Cn  is  necessarily  computable  for  each  n  €  Af,  as  the  ad¬ 
versary  can  simply  play  the  role  of  each  captured  node  in  the  key  establishment  protocol.  The 
2  A  simplified  version  of  this  strategy  was  used  to  develop  a  probabilistic  attack  in  [40]. 
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GNA  VE  algorithm  can  then  be  performed  by  realizing  that  the  sum  of  the  nth  column  of  A  is  equal 
to  \K,n  \  —  \LnCn\.  Note  that  the  result  does  not  require  the  number  of  assigned  keys  \ICn\  to  be  fixed 
for  all  n  €  A f. 

The  primary  implication  of  Lemma  1 1  is  that  the  use  of  a  privacy-preserving  key  establishment 
protocol  based  on  a  cryptographic  proof-of-knowledge  [22]  does  not  prevent  the  adversary  from 
performing  key  cover  attacks. 


Link  Cover  Attack 

The  link  cover  attack  is  also  modeled  according  to  the  well  known  set  cover  problem.  In  this  attack, 
each  element  in  the  collection  Z  of  items  sought  by  the  adversary  is  a  subset  of  1C  equal  to  the 
intersection  /Q  fl  ICj.  Since  the  same  elements  of  1C  can  be  used  by  multiple  pairs  of  nodes  in  the 
network,  Z  is  a  multi-set  of  subsets  of  1C  whose  union  is  not  necessarily  all  of  1C.  In  this  attack,  the 
adversary’s  primary  goal  is  to  capture  a  set  of  nodes  whose  sets  lCn  cover  the  collection  of  multi-sets 
Z,  corresponding  to  the  compromise  of  as  many  secure  links  in  the  network  as  is  possible. 

A  link  cover  attack  can  be  formulated  using  the  minimization  problem  in  Section  5.4.2  and  the 
GNAVE  algorithm  as  follows.  Similar  to  that  of  the  set  coverage  strategy,  each  entry  soj)  of  the 
vector  s  is  equal  to  the  threshold  number  of  elements  derived  from  znj)  which  must  be  obtained 
to  recover  the  set  zuj\.  Each  entry  n  of  the  binary  matrix  A  is  equal  to  1  if  and  only  if 
K-i  fl  ICj  C  K.n.  Furthermore,  to  perform  a  link  cover  attack  using  the  GNAVE  algorithm,  the  key 
establishment  protocol  must  allow  the  adversary  to  compute  the  label  set  Cn. 

If  the  adversary  cannot  compute  the  label  set  Cn  for  each  node  n  €  A f,  it  is  impossible  to 
determine  the  subsets  of  1C  corresponding  to  each  secure  link.  Furthermore,  there  is  no 

method  for  computing  or  updating  the  column  sums  of  the  matrix  A.  Hence,  subset  coverage 
attacks  can  be  prevented  by  the  use  of  a  privacy-preserving  key  establishment  protocol. 


5.7  Uncertainty  in  RVM  Parameters  due  to  Privacy-Preserving 
Set  Intersection 

In  order  for  an  adversary  to  mount  a  node  capture  attack  using  the  GNAVE  algorithm,  the  contri¬ 
bution  VS([(C  U  {n})  —  Vsd(C )  to  the  incremental  node  value  zzn(C)  of  node  n  €  AT  must  be  computed 
using  Definition  28  with  an  RVM  realization  that  satisfies  Definition  27.  The  set  theoretic  RVM 
realization  in  Section  5.5  as  well  as  the  link  cover  attack  in  Section  5.6  require  the  adversary  to 
compute  the  quantities  |/C,j|  and  | ICij  H  ICc\  for  each  link  (i,j).  As  shown  in  Lemma  11,  the  set 
ICj  fl  K-c  can  be  computed  for  any  i  €  Af  by  the  adversary  with  captured  nodes  C.  Hence,  the 
quantity  | /Cy  fl  lCc\  can  always  be  computed  using  the  equality 

ICij  n  K-c  =  (iCi  n  K-c )  n  (. ICj  n  iCc). 

However,  if  the  network  nodes  in  Af  are  using  a  privacy-preserving  set  intersection  protocol  accord¬ 
ing  to  Definition  23,  the  quantity  |/Qj|  cannot  be  computed  deterministically.  We  thus  demonstrate 
how  this  required  quantity  can  be  estimated  probabilistically.  In  what  follows,  we  assume  that  each 
set  ICi  is  randomly  and  independently  selected  from  1C  as  in  [4]  and  that  the  quantities  ki  =  |/Q| 
and  k  =  |/C|  are  publicly  known. 
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A  probabilistic  estimate  kjj  of  the  quantity  \Kt] 1  can  be  computed  using  the  probability  dis¬ 
tribution  Pr[|/Cjj|  =  kij\  using  the  known  parameters  kic  =  |/Cj  n  Kc\,  kjc  =  |/Cy  n  Kc |,  and 
kijc  =  |/Cjj  n/Cc|.  This  probability  is  exactly  the  probability  that  ( kij  —  kijc)  of  the  {kj  —  kx)  keys 
in  K-i  not  known  to  the  adversary  are  equal  to  ( kij  —  kijc)  of  the  {kj  —  kjc)  keys  in  Kj  not  known 
to  the  adversary.  Letting  kc  =  \Kc\,  the  desired  probability  can  be  computed  as 


Pr[|/Qj|  —  k^]  — 


kj  —  k 
k^  —  k 


'jC 

'ijC 


ki  kic 

k  -  kc 


KijC 


1  - 


h  —  k, 


’iC 


k  -  kc 


(5.8) 


for  kij  —  kjjc ,  •  •  • ,  kj  kjc  T  kjjc  • 

We  compute  the  estimate  ktj  as  the  expected  value  of  \Kij\,  conditioned  on  the  fact  that  \KtJ\  > 
k^c  since  \KtJ\  is  only  unknown  if  kj  >  kjc ■  The  estimate  ktj  is  thus  computed  as  the  expected 
value  of  the  random  variable  with  probability  distribution  Pr[|/C^|  =  kij]/ Pr[|/Qj|  >  kijc],  subject 
to  | Kij\  >  kijC,  using  (5.8),  yielding 


kij  —  kjjc  T 


(ki  kx){kj  kjc) 


(k  -  kc)  1  -  1 


_  ( i  _  kj-kjc  \ 

k-kc  ) 


kj  kjc 


(5.9) 


The  estimate  kij  of  \JCt]  \  using  (5.9)  can  then  be  used  to  estimate  the  route  vulnerability  VSfi(C). 
However,  in  order  to  estimate  the  incremental  node  value  vn[C)  of  each  node  n  €  J\T  \  C,  the  route 
vulnerability  Vsd(C  U  {n})  must  also  be  estimated,  where  the  union  /Ccu{n}  cannot  be  computed 
deterministically. 

We  note  that  for  any  i,j,n  €  A f,  the  number  of  keys  securing  the  link  (i,j)  if  n  is  added  to  C 
is  given  by 


| K-ij  \/Ccu{)i}l  =  \fcij  \  ~  I K-ij  H  {Kc  U /C„, ) |  =  \Kij\  —  | JCij  nKc\ -  | Kij  n/cn|  +  | Kij  nKnnKc\.  (5.10) 

Since  the  quantities  k^c  =  \ Kij  CiKc\  and  kijnc  =  | Kij  n  Kn  n  Kc \  are  known,  and  an  estimate  kij  of 
\Kij\  has  already  been  computed  in  (5.9),  the  remaining  quantity  to  estimate  is  | Kij  C\Kn\.  We  let 
Q(kijn)  denote  the  probability  Pr[| Kjj  D  Kn\  =  kjjn]  and  Q(kijn\kij)  denote  the  similar  probability 
conditioned  on  the  event  that  \KtJ\  =  kij,  computed  as 

kj  kj  q  k-ij  q 

Q{kijn)=  X]  Q{kijn\kij)Pr[\Kij\  =  kij],  (5.11) 

kjj =kjjQ 


Similar  to  the  computation  in  (5.8),  the  conditional  probability  Q{kijn\kij)  is  computed  as 


Q{kijn\k>ij ) 


kn  -  knC\  ( kij  -  kijC  \  kijn  (  kij  -  kijc  \  kn  knC  k' 

kiin  J(nrute-)  W-rofc-J 


(5.12) 


An  estimate  kijn  of  | Kij  C\Kn ,|  is  computed  conditioned  on  the  event  that  \Kij\  >  k^c  as  before. 
The  estimate  kijn  is  thus  computed  as  the  expected  value  of  the  random  variable  with  probability 
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distribution  Q{ktjn)/ Pr[|/Qjj  >  kijc\,  subject  to  k^  >  kijc,  using  (5.8),  (5.11),  and  (5.12)  yielding 


kn  knC 

kijn  = 


kj—kjc+kijC 

kijn  ^  '  Q(kijn  |  kij )  Pi  [|/Cjj  |  —  kjj ] 

&ij=/Ci7C  +  l 


kj—kjc+kijc 


V  Pr[|/C^|  -  fcjj]  X  - 

Pr[l^l>M  ^  ^nQ(^n|M 


Pl'[|/Ciy  I  >  %c] 

kn  knc 


kij — 

kn  knQ  Pr[|^2j|  =  ^ijc)  _  (^n  ^ijc) 


k-kc 


E 


kij — /cjjc+1 


Pr[|/Cjj|  >  %c] 


k  -  kc 


(5.13) 


where  is  the  estimate  given  in  (5.9). 

The  estimates  k^  and  ktjn  are  then  used  to  estimate  the  incremental  node  value  vn(C)  of 
each  node  n  €  J\f  \C  using  Definition  28  with  the  corresponding  route  vulnerability  definition  in 
Section  5.5.  We  note  that  the  contribution  of  a  node  toward  the  compromise  of  a  link,  path,  or 
route  is  deterministic  if  the  captured  node  is  incident  to  the  link,  path,  or  route  of  interest.  Hence, 
at  early  stages  of  the  attack,  it  is  likely  that  captured  nodes  will  be  located  along  paths  from  source 
nodes  to  destination  nodes.  The  adversary  will,  however,  learn  significantly  more  information  about 
the  remainder  of  the  network  by  capturing  one  node  at  a  time  using  the  GNAVE  algorithm  with 
the  vulnerability  estimates  obtained  herein. 


5.8  Examples  and  Simulation  Study 

In  this  section,  we  illustrate  the  application  of  the  route  vulnerability  metric  Vsd(C )  and  the  GNAVE 
algorithm.  We  first  present  two  small-scale  examples  using  independent  and  dependent  path  routing 
and  the  set  theoretic  route  vulnerability  metric.  We  then  provide  simulation  results  to  illustrate 
the  effect  of  node  capture  attacks  in  a  large-scale  wireless  network  under  various  different  key 
assignment  and  routing  models. 


5.8.1  Example:  Multi-Path  Geographic  Forwarding 

We  illustrate  a  node  capture  attack  using  the  GNAVE  algorithm  with  the  set  theoretic  route  vul¬ 
nerability  metric  presented  in  Section  5.5.1  for  a  wireless  network  using  multi-path  geographic 
forwarding.  In  this  example,  we  construct  independent  path  routes  using  a  multi-path  geographic 
forwarding  algorithm  in  which  each  node  forwards  the  corresponding  message  to  the  two  next-hop 
neighbors  nearest  the  destination  node,  similar  to  the  idea  in  GBR  [30].  We  consider  the  net¬ 
work  topology  given  in  Figure  5.3(a)  with  source-destination  routing  pairs  T  =  {(si,di),  (s2>^2)}- 
The  additional  end-to-end  security  mechanism  discussed  in  Section  5.3.2  is  used  by  each  source- 
destination  pair,  and  keys  are  assigned  to  nodes  in  the  network  as  given  in  Figure  5.3(b). 

To  illustrate  the  security  of  each  link  using  the  assigned  keys  above,  we  note  that  nodes  si  and 
m\  share  keys  ICsimi  =  {&8,fcio},  so  the  link  (si,mi)  is  secure  as  long  as  {fcsj^’io}  ^  /Cc- 

Assuming  the  messages  traversing  different  paths  through  the  network  are  independently  se¬ 
cured,  the  route  vulnerability  of  the  two  routes  lZSld1  and  'lZS2d2  can  be  computed  using  (5.4)  by 
individually  considering  the  four  paths  and  the  end-to-end  secure  link  in  each  route.  The  route 
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Figure  5.3:  Sources  si  and  S2  send  messages  to  destinations  cfi  and  d2,  respectively,  using  indepen¬ 
dent  path  routing.  Each  link  ( i,j )  is  labeled  with  the  number  of  shared  keys  \K.ij\.  The  end-to-end 
secure  links,  not  illustrated,  have  |/C^ldJ  =  =  2  shared  keys  each.  The  example  network  is 

illustrated  in  (a),  and  the  assigned  keys  are  shown  in  (b). 


Table  5.2:  Route  vulnerabilities  and  node  values  are  computed  for  the  set  theoretic  route  vulnerability  metrics  for 
the  network  in  Figure  5.3(a),  rounding  each  quantity  to  the  nearest  0.001. 


i 

Si 

S2 

mi 

m2 

m3 

m4 

m5 

m6 
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V’/1d1({*})sET 

1.000 

0.400 
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0.950 
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Fj(0)  SET 
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1.400 

0.800 

1.450 

1.383 
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1.100 

1.067 
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vulnerability  V^(C)set  and  the  corresponding  node  value  ^(C)set  computed  using  Definition  28 
are  provided  in  Table  5.2.  In  computing  the  node  value  and  considering  which  nodes  can  appear  in 
C,  we  assume  that  the  node  capture  cost  Wi  for  each  source  Sj  and  intermediate  node  rrij  is  unity, 
while  that  of  each  destination  node  is  infinity. 

To  demonstrate  the  computation  of  quantities  in  Table  5.2,  we  consider  the  source-destination 
pair  (si,di)  in  the  second  column  and  compute  the  route  vulnerability  resulting  from  the  capture 
of  node  1714.  The  route  7£Sl(q  consists  of  four  independent  paths, 

7Ti  =  {(>i,mi),  (mi,m2),  (m2,di)}  7r2  =  {(si,mi),  (mi,m4),  (m4,d  1)} 

7t3  =  {(si,  m3),  (m2,di)}  7r4  =  {(si,m3),  (777, 3,  m4),  (r?7.4,di)}, 

each  corresponding  to  an  independent  single-path  route.  We  assume  that  f7Ti  =  fsd  =  1/4. 

To  compute  the  set  theoretic  vulnerability  V's/i({r?7.4})sET  using  Figure  5.3(a),  we  first  compute 
cj)Sld1({r 774})  as  1/2,  the  4>  values  for  path  7Ti  as  1/2,  1/2,  and  1/2,  the  (j>  values  for  path  7r2  as 
1/2,  1,  and  1,  the  </>  values  for  path  7r3  as  0,  0,  and  1/2,  and  the  cj)  values  for  path  7t4  as  0,  1,  and 
1,  implying  that  paths  7t2  and  7t4  are  compromised.  From  (5.4),  the  vulnerability  is  computed  as 
Kd({m4}) set  =  31/40  =  0.775,  as  indicated  in  Table  5.2.  As  indicated  in  Table  5.2,  the  first  node 
added  to  C  using  the  GNAVE  algorithm  under  the  set  theoretic  vulnerability  function  is  node  m4. 
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Figure  5.4:  A  destination  node  d  receives  messages  from  source  nodes  si,  S2,  and  S3,  with  copies 
of  the  same  data,  using  randomized  network  coding.  Each  link  (i,  j)  is  labeled  with  the  number  of 
shared  keys  \K,ij\.  The  example  network  is  illustrated  in  (a),  and  the  assigned  keys  are  shown  in  (b). 


Table  5.3:  Node  values,  equal  to  the  route  vulnerabilities,  are  computed  for  the  set  theoretic  route  vulnerability 
metric  for  the  network  in  Figure  5.4(a),  rounding  each  quantity  to  the  nearest  0.001. 
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5.8.2  Example:  Distributed  Data  Access  Using  Network  Coding 

We  illustrate  a  node  capture  attack  using  the  GNAVE  algorithm  with  the  set  theoretic  route  vul¬ 
nerability  metric  presented  in  Section  5.5.1  for  a  network  with  three  sources  sending  the  same  set 
of  messages  using  network  coding.  In  this  example,  we  construct  dependent  path  routes  using  a 
randomized  network  coding  algorithm  [33]  in  which  each  node  forwards  a  different  linear  combina¬ 
tion  of  previously  received  messages  in  the  same  message  batch  along  each  secure  link.  We  consider 
the  network  topology  given  in  Figure  5.4(a)  with  keys  assigned  to  nodes  in  the  network  as  given  in 
Figure  5.4(b). 

Since  network  coding  is  used  to  construct  each  transmitted  packet  as  a  function  of  the  entire 
batch  of  messages,  packets  traversing  different  paths  are  dependent,  even  though  links  are  inde¬ 
pendently  secured.  Furthermore,  since  the  three  sources  si,  s 2,  and  S3  act  as  a  single  information 
source,  we  can  treat  the  message  traversal  through  the  network  as  a  single  dependent  route,  effec¬ 
tively  joining  the  source  nodes  si,  S2,  and  S3  into  a  single  source  s.  Hence,  the  route  vulnerability  of 
the  route  TZsd  can  be  computed  using  (5.5).  The  route  vulnerability  V^(C) set  and  the  correspond¬ 
ing  node  value  za(C)set  computed  using  Definition  28  are  provided  in  Table  5.3.  In  computing  the 
node  value  and  considering  which  nodes  can  appear  in  C,  we  assume  that  the  node  capture  cost  Wi 
for  each  intermediate  node  nrij  is  unity,  while  that  of  each  source  Sj  and  the  destination  node  d  is 
infinity. 

To  demonstrate  the  computation  of  quantities  in  Table  5.3,  we  evaluate  the  route  vulnerability 
due  to  the  capture  of  node  m§,  which  is  the  first  node  added  to  C  using  the  GNAVE  algorithm 
under  the  set  theoretic  vulnerability  functions.  For  the  network  in  Figure  5.4(a),  we  note  that  the 
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route  lZsd  consists  of  8  paths 

TTi  =  {(si,  777.3),  (777.3,  d)}, 

77  2  = 

{(si,  777.5),  (m5,d)}, 

713  = 

{(s2, 777.4),  (777.4,  d)}, 

7T4  = 

{(«2,  "7-6),  (7776,  d)}, 

tt.5  = 

{(s2, 777.1),  (777.1,777.2),  ( 777-2 ,  d)}, 

776  = 

{(S2,777-l),  (7711,777.3),  (7773,  d)} 

7T7  = 

{(S2,  T77-l),  (7774, 777.0 ),  (m6,d)}, 

778  = 

{(*3  ,d)}, 

where  the  end-to-end  link  (s,  d)  is  already  included  as  the  path  7Tg  joining  S3  to  d.  By  inspection  of 
the  collection  of  paths  and  the  keys  assigned  to  each  node,  we  compute  the  <fi  values  for  each  path 
as  0  and  1  for  7Ti,  1  and  0  for  7T2,  0  and  0  for  7r3,  1  and  1  for  7 T4,  0,  1/3,  and  0  for  775,  0,  1,  and  1 
for  7Tg,  0,  1,  and  1  for  777,  and  1  for  its ■  From  (5.5)  with  fS(i  =  0,  the  vulnerability  is  computed  as 
6})set  =  19/24  «  0.792,  as  indicated  in  Table  5.3. 

5.8.3  Simulation  Study:  Wireless  Sensor  Network 

We  provide  simulation  results  to  illustrate  a  node  capture  attack  using  the  GNAVE  algorithm. 
We  compare  the  performance  of  the  attack  to  node  capture  attacks  using  existing  node  selection 
metrics. 

The  simulation  was  performed  for  a  wireless  sensor  network  of  \J\f\  =  500  sensor  nodes  deployed 
randomly  over  a  square  region  with  density  to  yield  an  average  of  25  neighbors  per  sensor  node. 
Each  node  i  €  J\f  was  randomly  assigned  a  set  of  |/Q|  =  50  keys  using  key  predistribution  as  in  [4], 
A  subset  of  |<S|  =  100  nodes  was  randomly  selected  as  the  set  of  source  nodes,  and  a  subset  of 
\D\  =  10  nodes  was  randomly  selected  as  the  set  of  destination  nodes.  For  each  source  s£5,  the 
three  nearest  destination  nodes  in  V  were  chosen  as  route  pairs  (s,  d)  €  T.  Each  route  1Zsci  was 
constructed  using  geographic  forwarding  with  a  hop-count  mechanism  to  avoid  routing  loops  and 
geographic  dead-ends  due  to  holes  [31].  For  both  independent  and  dependent  path  routing,  each 
node  chose  three  next-hop  neighbors  closest  to  the  destination  and  with  a  lower  or  equal  hop  count. 
For  dependent  path  routing,  we  assume  that  any  compromised  edge  cut  is  sufficient  to  compromise 
the  route. 

We  simulated  the  node  capture  attacks  using  multiple  strategies  for  both  independent  and  de¬ 
pendent  path  routing.  We  simulated  secure  link  establishment  using  public  label  exchange  without 
end-to-end  security,  public  label  exchange  with  end-to-end  security,  and  privacy-preserving  set  in¬ 
tersection  without  end-to-end  security  using  the  estimation  techniques  in  Section  5.7.  Node  capture 
attacks  on  each  case  were  simulated  for  the  following  five  node  capture  strategies. 

1.  Nodes  are  captured  independently  at  random,  serving  as  the  baseline  performance  for  the 
adversary. 

2.  Nodes  are  captured  iteratively  to  maximize  the  number  of  compromised  keys  |/Cc|  by  choos¬ 
ing  the  node  i  with  maximum  |/Cj\/Cc|  at  each  iteration,  independent  of  the  routing  protocol. 
We  note  that  such  an  attack  can  be  performed  deterministically  under  privacy-preserving 
protocols. 

3.  Nodes  are  captured  iteratively  to  maximize  the  number  of  compromised  links  \Lc\  by  choos¬ 
ing  the  node  i  which  compromises  the  maximum  number  of  additional  links,  independent 
of  the  routing  protocol.  Under  privacy-preserving  protocols,  this  attack  uses  the  estimation 
techniques  in  Section  5.7. 

4.  Nodes  are  captured  iteratively  to  maximize  the  amount  of  network  traffic  routed  through 
captured  nodes,  independent  of  the  key  assignment  protocol. 

5.  Nodes  are  captured  using  the  GNAVE  algorithm  and  the  route  vulnerability  metric  Vjd(C) 
or  V^(C),  using  information  from  both  the  routing  and  key  assignment  protocols. 
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Figure  5.5:  Node  capture  attacks  using  the  five  strategies  are  illustrated  for  a  wireless  sensor  network  of  \Af  \  =  500 
nodes  for  independent  path  routing  (a)  without  end-to-end  security,  (b)  with  end-to-end  security,  and  (c)  using  a 
privacy-preserving  set  intersection  protocol. 


40  50  60  70 

Nodes  Captured 


Dependent  Path 


Dependent  Path  with  End-to-End  Security 


x  Strategy  2  -  Keys 
O-  Strategy  3  -  Links 
-*  •  Strategy  4  -  Traffic 
-©-  Strategy  5  -  GNAVE 


Number  of  Nodes  Captured 


Dependent  Path  with  Privacy 


x  Strategy  2  -  Keys 
€>  Strategy  3  -  Links 
-*•  Strategy  4  -  Traffic 
-©-  Strategy  5  -  GNAVE 


40 


50 


Nodes  Captured 


(a) 


(b) 


(c) 


Figure  5.6:  Node  capture  attacks  using  the  five  strategies  are  illustrated  for  a  wireless  sensor  network  of  \Af  \  =  500 
nodes  for  dependent  path  routing  (a)  without  end-to-end  security,  (b)  with  end-to-end  security,  and  (c)  using  a 
privacy-preserving  set  intersection  protocol. 
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Figure  5.5  and  Figure  5.6  illustrate  the  node  capture  attacks  on  independent  and  dependent 
path  routing,  respectively.  In  each  figure,  we  notice  that  the  node  capture  attack  using  the  GNAVE 
algorithm  outperforms  the  remaining  attacks.  The  inclusion  of  the  end-to-end  shared  keys  K,sd  in 
Figure  5.5(b)  and  Figure  5.6(b)  show  a  consistent  decrease  in  the  attack  performance  for  all  attacks 
and  all  routing  protocols  due  to  the  additional  secure  end-to-end  link  that  must  be  compromised 
in  each  route.  The  addition  of  privacy-preserving  set  intersection  protocols  in  Figure  5.5(c)  and 
Figure  5.6(c)  illustrate  the  increased  uncertainty  in  route  vulnerability  which  slightly  degrades  the 
performance  of  the  attack  using  the  GNAVE  algorithm.  In  comparing  Figure  5.5  and  Figure  5.6, 
we  notice  that  the  dependence  of  messages  traversing  different  paths  displays  a  threshold  behavior, 
reducing  the  vulnerability  of  routes  for  small  \C\,  but  only  slightly  increasing  the  number  of  captured 
nodes  \C\  required  to  compromise  all  traffic. 


5.9  Summary  of  Contributions 

We  investigated  the  problem  of  developing  new  vulnerability  metrics  that  improve  the  efficiency  of 
node  capture  attacks  when  the  routing  and  key  assignment  protocols  used  in  a  wireless  network 
are  jointly  analyzed.  We  proposed  a  class  of  route  vulnerability  metrics  (RVMs)  to  evaluate  the 
effect  of  node  capture  attacks  on  secure  network  traffic  and  developed  an  RVM  realization  us¬ 
ing  a  set  theoretic  interpretation  of  the  compromise  of  secure  network  traffic.  We  formulated  the 
optimal  node  capture  attack  using  RVM  evaluation  as  a  nonlinear  integer  programming  minimiza¬ 
tion  problem  and  presented  the  GNAVE  algorithm  using  a  greedy  heuristic  to  approximate  the 
NP-hard  problem.  We  demonstrated  a  probabilistic  approach  to  estimate  the  route  vulnerability 
when  privacy-preserving  set  intersection  protocols  are  used  to  hide  information  from  the  adversary. 
Finally,  we  illustrated  node  capture  attacks  using  the  GNAVE  algorithm  and  compared  the  perfor¬ 
mance  of  the  GNAVE  algorithm  with  previously  proposed  node  capture  strategies.  In  the  future, 
the  node  capture  attack  framework  proposed  in  this  chapter  will  assist  in  the  joint  design  of  key 
assignment  and  routing  protocols  for  wireless  networks  that  are  robust  to  node  capture  attacks. 
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